Search for packages
| purl | pkg:rpm/redhat/python-django@4.2.16-1?arch=el8pc |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-jzae-1awh-k7cm
Aliases: BIT-django-2024-38875 CVE-2024-38875 GHSA-qg2p-9jwr-mmqf PYSEC-2024-56 |
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. | There are no reported fixed by versions. |
|
VCID-m91a-6235-nye9
Aliases: BIT-django-2024-42005 CVE-2024-42005 GHSA-pv4p-cwwg-4rph PYSEC-2024-70 |
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. | There are no reported fixed by versions. |
|
VCID-q12d-kv8p-8ff7
Aliases: BIT-django-2024-39329 CVE-2024-39329 GHSA-x7q2-wr7g-xqmf PYSEC-2024-57 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. | There are no reported fixed by versions. |
|
VCID-u3zk-tff2-aua9
Aliases: BIT-django-2024-39614 CVE-2024-39614 GHSA-f6f8-9mx6-9mx2 PYSEC-2024-59 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. | There are no reported fixed by versions. |
|
VCID-z27q-zfpz-ckby
Aliases: BIT-django-2024-39330 CVE-2024-39330 GHSA-9jmf-237g-qf46 PYSEC-2024-58 |
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:46:25.630365+00:00 | RedHat Importer | Affected by | VCID-u3zk-tff2-aua9 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39614.json | 38.0.0 |
| 2026-04-01T13:46:25.489414+00:00 | RedHat Importer | Affected by | VCID-z27q-zfpz-ckby | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39330.json | 38.0.0 |
| 2026-04-01T13:46:25.396867+00:00 | RedHat Importer | Affected by | VCID-q12d-kv8p-8ff7 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-39329.json | 38.0.0 |
| 2026-04-01T13:46:05.469466+00:00 | RedHat Importer | Affected by | VCID-jzae-1awh-k7cm | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38875.json | 38.0.0 |
| 2026-04-01T13:45:48.352936+00:00 | RedHat Importer | Affected by | VCID-m91a-6235-nye9 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42005.json | 38.0.0 |