Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/django@3.0.1

Type pypi

Namespace

Name django

Version 3.0.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.1.14

Latest_non_vulnerable_version 6.0.5

Affected_by_vulnerabilities

url VCID-4cp2-k4mn-8ffj

vulnerability_id VCID-4cp2-k4mn-8ffj

summary An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.

references

reference_url	https://docs.djangoproject.com/en/3.0/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.0/releases/security/

reference_url	https://github.com/advisories/GHSA-2m34-jcjv-45xf
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-2m34-jcjv-45xf

reference_url	https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_url	https://security.netapp.com/advisory/ntap-20200611-0002/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20200611-0002/

reference_url	https://usn.ubuntu.com/4381-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4381-1/

reference_url	https://usn.ubuntu.com/4381-2/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4381-2/

reference_url	https://www.debian.org/security/2020/dsa-4705
reference_id
reference_type
scores
url	https://www.debian.org/security/2020/dsa-4705

reference_url	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/

reference_url	https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpujan2021.html

fixed_packages

url pkg:pypi/django@3.0.7

purl pkg:pypi/django@3.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-hh9b-52xn-z7a9

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-qvfs-2v1h-p3h4

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.7

aliases CVE-2020-13596, GHSA-2m34-jcjv-45xf, PYSEC-2020-32

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4cp2-k4mn-8ffj

url VCID-5q58-pzt4-8uey

vulnerability_id VCID-5q58-pzt4-8uey

summary Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

references

reference_url	https://docs.djangoproject.com/en/3.0/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.0/releases/security/

reference_url	https://github.com/advisories/GHSA-hmr4-m2h5-33qx
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-hmr4-m2h5-33qx

reference_url	https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
reference_id
reference_type
scores
url	https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136

reference_url	https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_url	https://seclists.org/bugtraq/2020/Feb/30
reference_id
reference_type
scores
url	https://seclists.org/bugtraq/2020/Feb/30

reference_url	https://security.gentoo.org/glsa/202004-17
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/202004-17

reference_url	https://security.netapp.com/advisory/ntap-20200221-0006/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20200221-0006/

reference_url	https://usn.ubuntu.com/4264-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4264-1/

reference_url	https://www.debian.org/security/2020/dsa-4629
reference_id
reference_type
scores
url	https://www.debian.org/security/2020/dsa-4629

reference_url	https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2020/feb/03/security-releases/

reference_url	https://www.openwall.com/lists/oss-security/2020/02/03/1
reference_id
reference_type
scores
url	https://www.openwall.com/lists/oss-security/2020/02/03/1

reference_url	http://www.openwall.com/lists/oss-security/2020/02/03/1
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2020/02/03/1

fixed_packages

url pkg:pypi/django@3.0.3

purl pkg:pypi/django@3.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4cp2-k4mn-8ffj

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-hh9b-52xn-z7a9

vulnerability	VCID-m4wa-xv9b-q7ce

vulnerability	VCID-na9w-xkvx-cbhd

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-qvfs-2v1h-p3h4

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.3

aliases CVE-2020-7471, GHSA-hmr4-m2h5-33qx, PYSEC-2020-35

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5q58-pzt4-8uey

url VCID-9mpt-zxaw-kkeg

vulnerability_id VCID-9mpt-zxaw-kkeg

summary multiple issues

references

reference_url	https://docs.djangoproject.com/en/3.2/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.2/releases/security/

reference_url	https://github.com/advisories/GHSA-68w8-qjq3-2gfm
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-68w8-qjq3-2gfm

reference_url	https://groups.google.com/forum/#!forum/django-announce
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!forum/django-announce

reference_url	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

reference_url	https://security.archlinux.org/ASA-202106-41
reference_id	ASA-202106-41
reference_type
scores
url	https://security.archlinux.org/ASA-202106-41

reference_url

https://security.archlinux.org/AVG-2026

reference_id

AVG-2026

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2026

fixed_packages

url pkg:pypi/django@3.1.12

purl pkg:pypi/django@3.1.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-n9vn-4uxr-hkau

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.12

url pkg:pypi/django@3.2.4

purl pkg:pypi/django@3.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-rv5n-efbm

vulnerability	VCID-2n2n-1fq2-7bbs

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-4z4e-8ttu-tyd6

vulnerability	VCID-51tx-4tp9-kbcz

vulnerability	VCID-6jpg-yrf8-cufy

vulnerability	VCID-9end-mq19-rke5

vulnerability	VCID-am3f-c5ex-8ff2

vulnerability	VCID-attf-6gj8-ebaj

vulnerability	VCID-au8h-vj9k-pufv

vulnerability	VCID-drwp-htkk-bkfh

vulnerability	VCID-f4a7-tcz5-byfj

vulnerability	VCID-fksk-pr23-2yd8

vulnerability	VCID-fsaw-3ta1-x3dw

vulnerability	VCID-m1dr-sjmw-jfd2

vulnerability	VCID-m33h-4p9q-63fb

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-nss9-1yrb-x7f2

vulnerability	VCID-qgp1-4efd-6yg6

vulnerability	VCID-yuda-1mur-8bbq

vulnerability	VCID-z6tf-z1y9-cydq

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.2.4

aliases CVE-2021-33203, GHSA-68w8-qjq3-2gfm, PYSEC-2021-98

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9mpt-zxaw-kkeg

url VCID-fhp8-tck4-mye4

vulnerability_id VCID-fhp8-tck4-mye4

summary In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

references

reference_url	https://docs.djangoproject.com/en/3.1/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.1/releases/security/

reference_url	https://github.com/advisories/GHSA-xgxc-v2qg-chmh
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-xgxc-v2qg-chmh

reference_url	https://groups.google.com/g/django-announce/c/ePr5j-ngdPU
reference_id
reference_type
scores
url	https://groups.google.com/g/django-announce/c/ePr5j-ngdPU

reference_url	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/

reference_url	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/

fixed_packages

url pkg:pypi/django@3.0.14

purl pkg:pypi/django@3.0.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.14

url pkg:pypi/django@3.1.8

purl pkg:pypi/django@3.1.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-j81e-su1y-tqa6

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-u9q1-63gf-7feh

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.8

aliases CVE-2021-28658, GHSA-xgxc-v2qg-chmh, PYSEC-2021-6

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fhp8-tck4-mye4

url VCID-hh9b-52xn-z7a9

vulnerability_id VCID-hh9b-52xn-z7a9

summary An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

references

reference_url	https://docs.djangoproject.com/en/dev/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/dev/releases/security/

reference_url	https://github.com/advisories/GHSA-fr28-569j-53c4
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-fr28-569j-53c4

reference_url	https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM

reference_url	https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/

reference_url	https://security.netapp.com/advisory/ntap-20200918-0004/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20200918-0004/

reference_url	https://usn.ubuntu.com/4479-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4479-1/

reference_url	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

reference_url	https://www.openwall.com/lists/oss-security/2020/09/01/2
reference_id
reference_type
scores
url	https://www.openwall.com/lists/oss-security/2020/09/01/2

reference_url	https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpujan2021.html

fixed_packages

url pkg:pypi/django@3.0.10

purl pkg:pypi/django@3.0.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.10

url pkg:pypi/django@3.1.1

purl pkg:pypi/django@3.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-j81e-su1y-tqa6

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-u9q1-63gf-7feh

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.1

aliases CVE-2020-24584, GHSA-fr28-569j-53c4, PYSEC-2020-34

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hh9b-52xn-z7a9

url VCID-m4wa-xv9b-q7ce

vulnerability_id VCID-m4wa-xv9b-q7ce

summary Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

references

reference_url

https://docs.djangoproject.com/en/3.0/releases/security/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://docs.djangoproject.com/en/3.0/releases/security/

reference_url	https://github.com/advisories/GHSA-3gh2-xw74-jmcw
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-3gh2-xw74-jmcw

reference_url

https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY

reference_url	https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY

reference_url

https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_url

https://security.gentoo.org/glsa/202004-17

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://security.gentoo.org/glsa/202004-17

reference_url

https://security.netapp.com/advisory/ntap-20200327-0004/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://security.netapp.com/advisory/ntap-20200327-0004/

reference_url

https://usn.ubuntu.com/4296-1/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://usn.ubuntu.com/4296-1/

reference_url

https://www.debian.org/security/2020/dsa-4705

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://www.debian.org/security/2020/dsa-4705

reference_url

https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

url

https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

fixed_packages

url pkg:pypi/django@3.0.4

purl pkg:pypi/django@3.0.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4cp2-k4mn-8ffj

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-hh9b-52xn-z7a9

vulnerability	VCID-na9w-xkvx-cbhd

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-qvfs-2v1h-p3h4

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.4

aliases CVE-2020-9402, GHSA-3gh2-xw74-jmcw, PYSEC-2020-345, PYSEC-2020-36

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m4wa-xv9b-q7ce

url VCID-na9w-xkvx-cbhd

vulnerability_id VCID-na9w-xkvx-cbhd

summary An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.

references

reference_url	https://docs.djangoproject.com/en/3.0/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.0/releases/security/

reference_url	https://github.com/advisories/GHSA-wpjr-j57x-wxfw
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-wpjr-j57x-wxfw

reference_url	https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ
reference_id
reference_type
scores
url	https://groups.google.com/d/msg/django-announce/pPEmb2ot4Fo/X-SMalYSBAAJ

reference_url	https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2020/06/msg00016.html

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

reference_url	https://security.netapp.com/advisory/ntap-20200611-0002/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20200611-0002/

reference_url	https://usn.ubuntu.com/4381-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4381-1/

reference_url	https://usn.ubuntu.com/4381-2/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4381-2/

reference_url	https://www.debian.org/security/2020/dsa-4705
reference_id
reference_type
scores
url	https://www.debian.org/security/2020/dsa-4705

reference_url	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2020/jun/03/security-releases/

reference_url	https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpujan2021.html

fixed_packages

url pkg:pypi/django@3.0.7

purl pkg:pypi/django@3.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-hh9b-52xn-z7a9

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-qvfs-2v1h-p3h4

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.7

aliases CVE-2020-13254, GHSA-wpjr-j57x-wxfw, PYSEC-2020-31

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-na9w-xkvx-cbhd

url VCID-q8r2-m9s6-rbek

vulnerability_id VCID-q8r2-m9s6-rbek

summary In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

references

reference_url	https://docs.djangoproject.com/en/3.1/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.1/releases/security/

reference_url	https://github.com/advisories/GHSA-fvgf-6h6h-3322
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-fvgf-6h6h-3322

reference_url	https://groups.google.com/forum/#!forum/django-announce
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!forum/django-announce

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/

reference_url	https://security.netapp.com/advisory/ntap-20210226-0004/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210226-0004/

reference_url	https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

fixed_packages

url pkg:pypi/django@3.0.12

purl pkg:pypi/django@3.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.12

url pkg:pypi/django@3.1.6

purl pkg:pypi/django@3.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-j81e-su1y-tqa6

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-u9q1-63gf-7feh

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.6

aliases CVE-2021-3281, GHSA-fvgf-6h6h-3322, PYSEC-2021-9

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q8r2-m9s6-rbek

url VCID-qvfs-2v1h-p3h4

vulnerability_id VCID-qvfs-2v1h-p3h4

summary An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

references

reference_url	https://docs.djangoproject.com/en/dev/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/dev/releases/security/

reference_url	https://github.com/advisories/GHSA-m6gj-h9gm-gw44
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-m6gj-h9gm-gw44

reference_url	https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM

reference_url	https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
reference_id
reference_type
scores
url	https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/

reference_url	https://security.netapp.com/advisory/ntap-20200918-0004/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20200918-0004/

reference_url	https://usn.ubuntu.com/4479-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4479-1/

reference_url	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

reference_url	https://www.openwall.com/lists/oss-security/2020/09/01/2
reference_id
reference_type
scores
url	https://www.openwall.com/lists/oss-security/2020/09/01/2

reference_url	https://www.oracle.com/security-alerts/cpujan2021.html
reference_id
reference_type
scores
url	https://www.oracle.com/security-alerts/cpujan2021.html

fixed_packages

url pkg:pypi/django@3.0.10

purl pkg:pypi/django@3.0.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.10

url pkg:pypi/django@3.1.1

purl pkg:pypi/django@3.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-9mpt-zxaw-kkeg

vulnerability	VCID-fhp8-tck4-mye4

vulnerability	VCID-j81e-su1y-tqa6

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-q8r2-m9s6-rbek

vulnerability	VCID-u9q1-63gf-7feh

vulnerability	VCID-z4x1-e7tp-rqhz

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.1

aliases CVE-2020-24583, GHSA-m6gj-h9gm-gw44, PYSEC-2020-33

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qvfs-2v1h-p3h4

url VCID-z4x1-e7tp-rqhz

vulnerability_id VCID-z4x1-e7tp-rqhz

summary multiple issues

references

reference_url	https://docs.djangoproject.com/en/3.2/releases/security/
reference_id
reference_type
scores
url	https://docs.djangoproject.com/en/3.2/releases/security/

reference_url	https://github.com/advisories/GHSA-p99v-5w3c-jqq9
reference_id
reference_type
scores
url	https://github.com/advisories/GHSA-p99v-5w3c-jqq9

reference_url	https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
reference_id
reference_type
scores
url	https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo

reference_url	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
reference_id
reference_type
scores
url	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

reference_url	https://security.archlinux.org/ASA-202106-41
reference_id	ASA-202106-41
reference_type
scores
url	https://security.archlinux.org/ASA-202106-41

reference_url

https://security.archlinux.org/AVG-2026

reference_id

AVG-2026

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2026

fixed_packages

url pkg:pypi/django@3.1.12

purl pkg:pypi/django@3.1.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-n9vn-4uxr-hkau

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.1.12

url pkg:pypi/django@3.2.4

purl pkg:pypi/django@3.2.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-rv5n-efbm

vulnerability	VCID-2n2n-1fq2-7bbs

vulnerability	VCID-4pb2-tqru-uufs

vulnerability	VCID-4z4e-8ttu-tyd6

vulnerability	VCID-51tx-4tp9-kbcz

vulnerability	VCID-6jpg-yrf8-cufy

vulnerability	VCID-9end-mq19-rke5

vulnerability	VCID-am3f-c5ex-8ff2

vulnerability	VCID-attf-6gj8-ebaj

vulnerability	VCID-au8h-vj9k-pufv

vulnerability	VCID-drwp-htkk-bkfh

vulnerability	VCID-f4a7-tcz5-byfj

vulnerability	VCID-fksk-pr23-2yd8

vulnerability	VCID-fsaw-3ta1-x3dw

vulnerability	VCID-m1dr-sjmw-jfd2

vulnerability	VCID-m33h-4p9q-63fb

vulnerability	VCID-n9vn-4uxr-hkau

vulnerability	VCID-nss9-1yrb-x7f2

vulnerability	VCID-qgp1-4efd-6yg6

vulnerability	VCID-yuda-1mur-8bbq

vulnerability	VCID-z6tf-z1y9-cydq

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.2.4

aliases CVE-2021-33571, GHSA-p99v-5w3c-jqq9, PYSEC-2021-99

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z4x1-e7tp-rqhz

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/django@3.0.1

Package Instance