VulnerableCode Package Details - pkg:ebuild/dev-python/django@2.2.11

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1v22-g646-wbay	An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.	CVE-2019-14235 GHSA-v9qg-3j8p-r63v PYSEC-2019-14
VCID-2zb9-27sm-3kgh	An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.	CVE-2019-14232 GHSA-c4qh-4vgv-qc6g PYSEC-2019-11
VCID-56na-n4w5-8fak	An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.	CVE-2019-12308 GHSA-7rp2-fm2h-wchj PYSEC-2019-79
VCID-8jaq-53td-wbeg	Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)	CVE-2019-19844 GHSA-vfq6-hq5r-27r6 PYSEC-2019-16
VCID-a8zx-jamf-cfcm	An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.	CVE-2019-14234 GHSA-6r97-cj55-9hrq PYSEC-2019-13
VCID-c2kc-1jh1-j3ha	Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)	CVE-2019-19118 GHSA-hvmf-r92r-27hr PYSEC-2019-15
VCID-jtru-9jmz-kkek	An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.	CVE-2019-14233 GHSA-h5jv-4p7w-64jg PYSEC-2019-12
VCID-w2dv-u8h6-sbgs	Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.	BIT-django-2020-7471 CVE-2020-7471 GHSA-hmr4-m2h5-33qx PYSEC-2020-35
VCID-wb34-g6xq-rkfx	Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.	BIT-django-2020-9402 CVE-2020-9402 GHSA-3gh2-xw74-jmcw PYSEC-2020-36

Vulnerability

Summary

Aliases

VCID-1v22-g646-wbay

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

CVE-2019-14235
GHSA-v9qg-3j8p-r63v
PYSEC-2019-14

VCID-2zb9-27sm-3kgh

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

CVE-2019-14232
GHSA-c4qh-4vgv-qc6g
PYSEC-2019-11

VCID-56na-n4w5-8fak

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

CVE-2019-12308
GHSA-7rp2-fm2h-wchj
PYSEC-2019-79

VCID-8jaq-53td-wbeg

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

CVE-2019-19844
GHSA-vfq6-hq5r-27r6
PYSEC-2019-16

VCID-a8zx-jamf-cfcm

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

CVE-2019-14234
GHSA-6r97-cj55-9hrq
PYSEC-2019-13

VCID-c2kc-1jh1-j3ha

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)

CVE-2019-19118
GHSA-hvmf-r92r-27hr
PYSEC-2019-15

VCID-jtru-9jmz-kkek

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

CVE-2019-14233
GHSA-h5jv-4p7w-64jg
PYSEC-2019-12

VCID-w2dv-u8h6-sbgs

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

BIT-django-2020-7471
CVE-2020-7471
GHSA-hmr4-m2h5-33qx
PYSEC-2020-35

VCID-wb34-g6xq-rkfx

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

BIT-django-2020-9402
CVE-2020-9402
GHSA-3gh2-xw74-jmcw
PYSEC-2020-36

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:03:15.459741+00:00	Gentoo Importer	Fixing	VCID-wb34-g6xq-rkfx	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.449783+00:00	Gentoo Importer	Fixing	VCID-w2dv-u8h6-sbgs	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.440552+00:00	Gentoo Importer	Fixing	VCID-8jaq-53td-wbeg	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.429513+00:00	Gentoo Importer	Fixing	VCID-c2kc-1jh1-j3ha	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.418921+00:00	Gentoo Importer	Fixing	VCID-1v22-g646-wbay	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.409143+00:00	Gentoo Importer	Fixing	VCID-a8zx-jamf-cfcm	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.399253+00:00	Gentoo Importer	Fixing	VCID-jtru-9jmz-kkek	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.391548+00:00	Gentoo Importer	Fixing	VCID-2zb9-27sm-3kgh	https://security.gentoo.org/glsa/202004-17	38.0.0
2026-04-01T13:03:15.383522+00:00	Gentoo Importer	Fixing	VCID-56na-n4w5-8fak	https://security.gentoo.org/glsa/202004-17	38.0.0