Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/12062?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/12062?format=api", "purl": "pkg:pypi/django@2.1.2", "type": "pypi", "namespace": "", "name": "django", "version": "2.1.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.1.6", "latest_non_vulnerable_version": "6.0.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6073?format=api", "vulnerability_id": "VCID-3mfy-uj9u-d7de", "summary": "silent downgrade", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12781" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-6c7v-2f49-8h26", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6c7v-2f49-8h26" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-10.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-10.yaml" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Jul/10", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Jul/10" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190705-0002", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190705-0002" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190705-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190705-0002/" }, { "reference_url": "https://usn.ubuntu.com/4043-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4043-1" }, { "reference_url": "https://usn.ubuntu.com/4043-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4043-1/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4476", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4476" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jul/01/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/07/01/3", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/07/01/3" }, { "reference_url": "http://www.securityfocus.com/bid/109018", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/109018" }, { "reference_url": "https://security.archlinux.org/ASA-201907-2", "reference_id": "ASA-201907-2", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-201907-2" }, { "reference_url": "https://security.archlinux.org/AVG-1000", "reference_id": "AVG-1000", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1000" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12781", "reference_id": "CVE-2019-12781", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12781" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13595?format=api", "purl": "pkg:pypi/django@2.1.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/13596?format=api", "purl": "pkg:pypi/django@2.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.3" } ], "aliases": [ "CVE-2019-12781", "GHSA-6c7v-2f49-8h26", "PYSEC-2019-10" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3mfy-uj9u-d7de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7347?format=api", "vulnerability_id": "VCID-9mpt-zxaw-kkeg", "summary": "multiple issues", "references": [ { "reference_url": "https://docs.djangoproject.com/en/3.2/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/3.2/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-68w8-qjq3-2gfm", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-68w8-qjq3-2gfm" }, { "reference_url": "https://groups.google.com/forum/#!forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases/" }, { "reference_url": "https://security.archlinux.org/ASA-202106-41", "reference_id": "ASA-202106-41", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202106-41" }, { "reference_url": "https://security.archlinux.org/AVG-2026", "reference_id": "AVG-2026", "reference_type": "", "scores": [ { "value": "Medium", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2026" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22501?format=api", "purl": "pkg:pypi/django@2.2.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/22502?format=api", "purl": "pkg:pypi/django@3.1.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4pb2-tqru-uufs" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/22503?format=api", "purl": "pkg:pypi/django@3.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-29qk-rv5n-efbm" }, { "vulnerability": "VCID-2n2n-1fq2-7bbs" }, { "vulnerability": "VCID-4pb2-tqru-uufs" }, { "vulnerability": "VCID-4z4e-8ttu-tyd6" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-am3f-c5ex-8ff2" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-au8h-vj9k-pufv" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-f4a7-tcz5-byfj" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-fsaw-3ta1-x3dw" }, { "vulnerability": "VCID-m1dr-sjmw-jfd2" }, { "vulnerability": "VCID-m33h-4p9q-63fb" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-qgp1-4efd-6yg6" }, { "vulnerability": "VCID-yuda-1mur-8bbq" }, { "vulnerability": "VCID-z6tf-z1y9-cydq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.2.4" } ], "aliases": [ "CVE-2021-33203", "GHSA-68w8-qjq3-2gfm", "PYSEC-2021-98" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9mpt-zxaw-kkeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35392?format=api", "vulnerability_id": "VCID-c3m7-fu62-2qd9", "summary": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-c4qh-4vgv-qc6g", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c4qh-4vgv-qc6g" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Aug/15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Aug/15" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190828-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190828-0002/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4498" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13926?format=api", "purl": "pkg:pypi/django@2.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/13927?format=api", "purl": "pkg:pypi/django@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.4" } ], "aliases": [ "CVE-2019-14232", "GHSA-c4qh-4vgv-qc6g", "PYSEC-2019-11" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3m7-fu62-2qd9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35305?format=api", "vulnerability_id": "VCID-f1br-hvnm-wfdg", "summary": "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-337x-4q8g-prc5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-337x-4q8g-prc5" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-17.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-17.yaml" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/" }, { "reference_url": "https://usn.ubuntu.com/3851-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3851-1" }, { "reference_url": "https://usn.ubuntu.com/3851-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3851-1/" }, { "reference_url": "https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106453", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106453" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4363", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4363" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jan/04/security-releases/" }, { "reference_url": "http://www.securityfocus.com/bid/106453", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/106453" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3498", "reference_id": "CVE-2019-3498", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3498" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/12707?format=api", "purl": "pkg:pypi/django@2.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mfy-uj9u-d7de" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-kbab-v2gz-dfe6" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-t952-ghnf-jkby" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.5" } ], "aliases": [ "CVE-2019-3498", "GHSA-337x-4q8g-prc5", "PYSEC-2019-17" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f1br-hvnm-wfdg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35394?format=api", "vulnerability_id": "VCID-g44a-m54u-97cr", "summary": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-v9qg-3j8p-r63v", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v9qg-3j8p-r63v" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Aug/15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Aug/15" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190828-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190828-0002/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4498" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13926?format=api", "purl": "pkg:pypi/django@2.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/13927?format=api", "purl": "pkg:pypi/django@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.4" } ], "aliases": [ "CVE-2019-14235", "GHSA-v9qg-3j8p-r63v", "PYSEC-2019-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g44a-m54u-97cr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35393?format=api", "vulnerability_id": "VCID-gfar-wbzc-3ubr", "summary": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-h5jv-4p7w-64jg", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h5jv-4p7w-64jg" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Aug/15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Aug/15" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190828-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190828-0002/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4498" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13926?format=api", "purl": "pkg:pypi/django@2.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/13927?format=api", "purl": "pkg:pypi/django@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.4" } ], "aliases": [ "CVE-2019-14233", "GHSA-h5jv-4p7w-64jg", "PYSEC-2019-12" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gfar-wbzc-3ubr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35364?format=api", "vulnerability_id": "VCID-kbab-v2gz-dfe6", "summary": "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/1.11.21", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/1.11.21/" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/2.1.9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/2.1.9/" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/2.2.2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/2.2.2/" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-7rp2-fm2h-wchj", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7rp2-fm2h-wchj" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62" }, { "reference_url": "https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673" }, { "reference_url": "https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-79.yaml" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/GEbHU7YoVz8" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00001.html" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00001.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/USYRARSYB7PE3S2ZQO7PZNWMH7RPGL5G/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Jul/10", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Jul/10" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://usn.ubuntu.com/4043-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4043-1" }, { "reference_url": "https://usn.ubuntu.com/4043-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4043-1/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4476", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4476" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/06/03/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2" }, { "reference_url": "http://www.securityfocus.com/bid/108559", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/108559" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12308", "reference_id": "CVE-2019-12308", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12308" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13468?format=api", "purl": "pkg:pypi/django@2.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mfy-uj9u-d7de" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/13470?format=api", "purl": "pkg:pypi/django@2.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mfy-uj9u-d7de" }, { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.2" } ], "aliases": [ "CVE-2019-12308", "GHSA-7rp2-fm2h-wchj", "PYSEC-2019-79" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kbab-v2gz-dfe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35453?format=api", "vulnerability_id": "VCID-pgtx-cdua-kfb4", "summary": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-hvmf-r92r-27hr", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-hvmf-r92r-27hr" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20191217-0003/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20191217-0003/" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2019/12/02/1", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2019/12/02/1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/14671?format=api", "purl": "pkg:pypi/django@2.1.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/14672?format=api", "purl": "pkg:pypi/django@2.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.8" } ], "aliases": [ "CVE-2019-19118", "GHSA-hvmf-r92r-27hr", "PYSEC-2019-15" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pgtx-cdua-kfb4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35322?format=api", "vulnerability_id": "VCID-t952-ghnf-jkby", "summary": "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-wh4h-v3f2-r2pp", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh4h-v3f2-r2pp" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/0bbb560183fabf0533289700845dafa94951f227" }, { "reference_url": "https://github.com/django/django/commit/1f42f82566c9d2d73aff1c42790d6b1b243f7676", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/1f42f82566c9d2d73aff1c42790d6b1b243f7676" }, { "reference_url": "https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/40cd19055773705301c3428ed5e08a036d2091f3" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-18.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-18.yaml" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/WTwEAprR0IQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Jul/10", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Jul/10" }, { "reference_url": "https://usn.ubuntu.com/3890-1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3890-1" }, { "reference_url": "https://usn.ubuntu.com/3890-1/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/3890-1/" }, { "reference_url": "https://web.archive.org/web/20200227084713/http://www.securityfocus.com/bid/106964", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200227084713/http://www.securityfocus.com/bid/106964" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4476", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4476" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/feb/11/security-releases/" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2019/02/11/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2019/02/11/1" }, { "reference_url": "http://www.securityfocus.com/bid/106964", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securityfocus.com/bid/106964" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6975", "reference_id": "CVE-2019-6975", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6975" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/57433?format=api", "purl": "pkg:pypi/django@2.1.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/13003?format=api", "purl": "pkg:pypi/django@2.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mfy-uj9u-d7de" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-kbab-v2gz-dfe6" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.7" } ], "aliases": [ "CVE-2019-6975", "GHSA-wh4h-v3f2-r2pp", "PYSEC-2019-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t952-ghnf-jkby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35396?format=api", "vulnerability_id": "VCID-yreb-z7nz-jkbs", "summary": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of \"OR 1=1\" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", "reference_id": "", "reference_type": "", "scores": [], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://github.com/advisories/GHSA-6r97-cj55-9hrq", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6r97-cj55-9hrq" }, { "reference_url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/" }, { "reference_url": "https://seclists.org/bugtraq/2019/Aug/15", "reference_id": "", "reference_type": "", "scores": [], "url": "https://seclists.org/bugtraq/2019/Aug/15" }, { "reference_url": "https://security.gentoo.org/glsa/202004-17", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202004-17" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190828-0002/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190828-0002/" }, { "reference_url": "https://www.debian.org/security/2019/dsa-4498", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.debian.org/security/2019/dsa-4498" }, { "reference_url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13926?format=api", "purl": "pkg:pypi/django@2.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/13927?format=api", "purl": "pkg:pypi/django@2.2.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cp2-k4mn-8ffj" }, { "vulnerability": "VCID-51tx-4tp9-kbcz" }, { "vulnerability": "VCID-5q58-pzt4-8uey" }, { "vulnerability": "VCID-6jpg-yrf8-cufy" }, { "vulnerability": "VCID-9end-mq19-rke5" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-attf-6gj8-ebaj" }, { "vulnerability": "VCID-drwp-htkk-bkfh" }, { "vulnerability": "VCID-fhp8-tck4-mye4" }, { "vulnerability": "VCID-fksk-pr23-2yd8" }, { "vulnerability": "VCID-hh9b-52xn-z7a9" }, { "vulnerability": "VCID-j81e-su1y-tqa6" }, { "vulnerability": "VCID-m4wa-xv9b-q7ce" }, { "vulnerability": "VCID-n9vn-4uxr-hkau" }, { "vulnerability": "VCID-na9w-xkvx-cbhd" }, { "vulnerability": "VCID-nss9-1yrb-x7f2" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-q8r2-m9s6-rbek" }, { "vulnerability": "VCID-qvfs-2v1h-p3h4" }, { "vulnerability": "VCID-u9q1-63gf-7feh" }, { "vulnerability": "VCID-vdpf-jddk-syda" }, { "vulnerability": "VCID-z4x1-e7tp-rqhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.2.4" } ], "aliases": [ "CVE-2019-14234", "GHSA-6r97-cj55-9hrq", "PYSEC-2019-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yreb-z7nz-jkbs" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35266?format=api", "vulnerability_id": "VCID-6xpv-ua1h-wfgp", "summary": "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", "references": [ { "reference_url": "https://github.com/advisories/GHSA-6mx3-3vqg-hpp2", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6mx3-3vqg-hpp2" }, { "reference_url": "https://github.com/django/django", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django" }, { "reference_url": "https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-3.yaml" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190502-0009", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190502-0009" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20190502-0009/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20190502-0009/" }, { "reference_url": "https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749", "reference_id": "", "reference_type": "", "scores": [], "url": "https://web.archive.org/web/20200517123022/http://www.securitytracker.com/id/1041749" }, { "reference_url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release" }, { "reference_url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2018/oct/01/security-release/" }, { "reference_url": "http://www.securitytracker.com/id/1041749", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.securitytracker.com/id/1041749" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16984", "reference_id": "CVE-2018-16984", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16984" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/12062?format=api", "purl": "pkg:pypi/django@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3mfy-uj9u-d7de" }, { "vulnerability": "VCID-9mpt-zxaw-kkeg" }, { "vulnerability": "VCID-c3m7-fu62-2qd9" }, { "vulnerability": "VCID-f1br-hvnm-wfdg" }, { "vulnerability": "VCID-g44a-m54u-97cr" }, { "vulnerability": "VCID-gfar-wbzc-3ubr" }, { "vulnerability": "VCID-kbab-v2gz-dfe6" }, { "vulnerability": "VCID-pgtx-cdua-kfb4" }, { "vulnerability": "VCID-t952-ghnf-jkby" }, { "vulnerability": "VCID-yreb-z7nz-jkbs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.2" } ], "aliases": [ "CVE-2018-16984", "GHSA-6mx3-3vqg-hpp2", "PYSEC-2018-3" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xpv-ua1h-wfgp" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@2.1.2" }