Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/41843?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/41843?format=api", "purl": "pkg:pypi/django@5.0.7", "type": "pypi", "namespace": "", "name": "django", "version": "5.0.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.0.14", "latest_non_vulnerable_version": "6.0.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36951?format=api", "vulnerability_id": "VCID-2ft7-rbey-kuhx", "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2024/12/04/3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2024/12/04/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44199?format=api", "purl": "pkg:pypi/django@5.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/44198?format=api", "purl": "pkg:pypi/django@5.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4" } ], "aliases": [ "CVE-2024-53908", "PYSEC-2024-157" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ft7-rbey-kuhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36847?format=api", "vulnerability_id": "VCID-e12b-tw2c-53c9", "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42126?format=api", "purl": "pkg:pypi/django@5.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8" } ], "aliases": [ "CVE-2024-41991", "PYSEC-2024-69" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e12b-tw2c-53c9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36884?format=api", "vulnerability_id": "VCID-hsjn-xnpp-5yeh", "summary": "An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43562?format=api", "purl": "pkg:pypi/django@5.0.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/43561?format=api", "purl": "pkg:pypi/django@5.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.1" } ], "aliases": [ "CVE-2024-45230", "PYSEC-2024-102" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hsjn-xnpp-5yeh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36849?format=api", "vulnerability_id": "VCID-jgv9-vdbm-sycd", "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42126?format=api", "purl": "pkg:pypi/django@5.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8" } ], "aliases": [ "CVE-2024-41989", "PYSEC-2024-67" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jgv9-vdbm-sycd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36958?format=api", "vulnerability_id": "VCID-pa7y-gpwp-6qgj", "summary": "An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.)", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2025/jan/14/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2025/jan/14/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/01/14/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2025/01/14/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44333?format=api", "purl": "pkg:pypi/django@5.0.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/44332?format=api", "purl": "pkg:pypi/django@5.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.5" } ], "aliases": [ "CVE-2024-56374", "PYSEC-2025-1" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pa7y-gpwp-6qgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37034?format=api", "vulnerability_id": "VCID-qw15-2kq7-wqed", "summary": "An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2025/apr/02/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/04/02/2", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2025/04/02/2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44735?format=api", "purl": "pkg:pypi/django@5.0.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/44734?format=api", "purl": "pkg:pypi/django@5.1.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.8" } ], "aliases": [ "CVE-2025-27556", "PYSEC-2025-14" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qw15-2kq7-wqed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36984?format=api", "vulnerability_id": "VCID-qy1a-x3ff-4bc8", "summary": "An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00012.html" }, { "reference_url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2025/mar/06/security-releases/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/03/06/12", "reference_id": "", "reference_type": "", "scores": [], "url": "http://www.openwall.com/lists/oss-security/2025/03/06/12" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44602?format=api", "purl": "pkg:pypi/django@5.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qw15-2kq7-wqed" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/44601?format=api", "purl": "pkg:pypi/django@5.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.7" } ], "aliases": [ "CVE-2025-26699", "PYSEC-2025-13" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qy1a-x3ff-4bc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36848?format=api", "vulnerability_id": "VCID-rqqc-ta7c-ykgx", "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42126?format=api", "purl": "pkg:pypi/django@5.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8" } ], "aliases": [ "CVE-2024-41990", "PYSEC-2024-68" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rqqc-ta7c-ykgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36950?format=api", "vulnerability_id": "VCID-ud73-4t2c-n3at", "summary": "An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/g/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/g/django-announce" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00028.html" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2024/12/04/3", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openwall.com/lists/oss-security/2024/12/04/3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/44199?format=api", "purl": "pkg:pypi/django@5.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/44198?format=api", "purl": "pkg:pypi/django@5.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.1.4" } ], "aliases": [ "CVE-2024-53907", "PYSEC-2024-156" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ud73-4t2c-n3at" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36850?format=api", "vulnerability_id": "VCID-xcmd-18ck-gqae", "summary": "An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/aug/06/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/42126?format=api", "purl": "pkg:pypi/django@5.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-ud73-4t2c-n3at" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.8" } ], "aliases": [ "CVE-2024-42005", "PYSEC-2024-70" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xcmd-18ck-gqae" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36828?format=api", "vulnerability_id": "VCID-9gq3-whr8-s7b8", "summary": "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41844?format=api", "purl": "pkg:pypi/django@4.2.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-4kcg-gx5y-cuaw" }, { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-ga7z-wj4j-63h1" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-jybd-p65h-xffy" }, { "vulnerability": "VCID-kxdd-yzp3-r7cb" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-phkp-9abp-f3dq" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-r1vx-vv7d-gqaj" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-shch-yusm-1uck" }, { "vulnerability": "VCID-shjc-2j68-2yfy" }, { "vulnerability": "VCID-tktt-vg92-6kae" }, { "vulnerability": "VCID-tuqc-c251-h7ds" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-wa3g-27sx-mbcw" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-xcmd-18ck-gqae" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/41843?format=api", "purl": "pkg:pypi/django@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-xcmd-18ck-gqae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7" } ], "aliases": [ "CVE-2024-38875", "PYSEC-2024-56" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9gq3-whr8-s7b8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36827?format=api", "vulnerability_id": "VCID-e8j6-mybr-17fh", "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41844?format=api", "purl": "pkg:pypi/django@4.2.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-4kcg-gx5y-cuaw" }, { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-ga7z-wj4j-63h1" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-jybd-p65h-xffy" }, { "vulnerability": "VCID-kxdd-yzp3-r7cb" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-phkp-9abp-f3dq" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-r1vx-vv7d-gqaj" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-shch-yusm-1uck" }, { "vulnerability": "VCID-shjc-2j68-2yfy" }, { "vulnerability": "VCID-tktt-vg92-6kae" }, { "vulnerability": "VCID-tuqc-c251-h7ds" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-wa3g-27sx-mbcw" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-xcmd-18ck-gqae" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/41843?format=api", "purl": "pkg:pypi/django@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-xcmd-18ck-gqae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7" } ], "aliases": [ "CVE-2024-39330", "PYSEC-2024-58" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e8j6-mybr-17fh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36826?format=api", "vulnerability_id": "VCID-s1rj-1xbw-fbg5", "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41844?format=api", "purl": "pkg:pypi/django@4.2.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-4kcg-gx5y-cuaw" }, { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-ga7z-wj4j-63h1" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-jybd-p65h-xffy" }, { "vulnerability": "VCID-kxdd-yzp3-r7cb" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-phkp-9abp-f3dq" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-r1vx-vv7d-gqaj" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-shch-yusm-1uck" }, { "vulnerability": "VCID-shjc-2j68-2yfy" }, { "vulnerability": "VCID-tktt-vg92-6kae" }, { "vulnerability": "VCID-tuqc-c251-h7ds" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-wa3g-27sx-mbcw" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-xcmd-18ck-gqae" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/41843?format=api", "purl": "pkg:pypi/django@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-xcmd-18ck-gqae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7" } ], "aliases": [ "CVE-2024-39614", "PYSEC-2024-59" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s1rj-1xbw-fbg5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36829?format=api", "vulnerability_id": "VCID-vgq9-s6th-yufg", "summary": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.", "references": [ { "reference_url": "https://docs.djangoproject.com/en/dev/releases/security/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://docs.djangoproject.com/en/dev/releases/security/" }, { "reference_url": "https://groups.google.com/forum/#%21forum/django-announce", "reference_id": "", "reference_type": "", "scores": [], "url": "https://groups.google.com/forum/#%21forum/django-announce" }, { "reference_url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41844?format=api", "purl": "pkg:pypi/django@4.2.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-4kcg-gx5y-cuaw" }, { "vulnerability": "VCID-5xtt-au84-zbb2" }, { "vulnerability": "VCID-7c5n-nzwk-v7bz" }, { "vulnerability": "VCID-9kvc-1bdz-n3bd" }, { "vulnerability": "VCID-bb8b-hq41-s7a6" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-fcg9-xypn-ykhf" }, { "vulnerability": "VCID-ga69-9y5g-77c3" }, { "vulnerability": "VCID-ga7z-wj4j-63h1" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-jybd-p65h-xffy" }, { "vulnerability": "VCID-kxdd-yzp3-r7cb" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-phkp-9abp-f3dq" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-r1vx-vv7d-gqaj" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-shch-yusm-1uck" }, { "vulnerability": "VCID-shjc-2j68-2yfy" }, { "vulnerability": "VCID-tktt-vg92-6kae" }, { "vulnerability": "VCID-tuqc-c251-h7ds" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-wa3g-27sx-mbcw" }, { "vulnerability": "VCID-whgc-pt2s-77ar" }, { "vulnerability": "VCID-xcmd-18ck-gqae" }, { "vulnerability": "VCID-ynt9-h6ww-h7e9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@4.2.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/41843?format=api", "purl": "pkg:pypi/django@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ft7-rbey-kuhx" }, { "vulnerability": "VCID-e12b-tw2c-53c9" }, { "vulnerability": "VCID-hsjn-xnpp-5yeh" }, { "vulnerability": "VCID-jgv9-vdbm-sycd" }, { "vulnerability": "VCID-pa7y-gpwp-6qgj" }, { "vulnerability": "VCID-qw15-2kq7-wqed" }, { "vulnerability": "VCID-qy1a-x3ff-4bc8" }, { "vulnerability": "VCID-rqqc-ta7c-ykgx" }, { "vulnerability": "VCID-ud73-4t2c-n3at" }, { "vulnerability": "VCID-xcmd-18ck-gqae" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7" } ], "aliases": [ "CVE-2024-39329", "PYSEC-2024-57" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vgq9-s6th-yufg" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/django@5.0.7" }