VulnerableCode Package Details - pkg:alpm/archlinux/python-django@3.1.6-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-y3pv-b3df-aaah Aliases: CVE-2021-23336	The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.	3.1.7-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-y3pv-b3df-aaah
Aliases:
CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

3.1.7-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-632q-8e7a-aaac	In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.	BIT-2021-3281 BIT-django-2021-3281 CVE-2021-3281 GHSA-fvgf-6h6h-3322 PYSEC-2021-9

Vulnerability

Summary

Aliases

VCID-632q-8e7a-aaac

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

BIT-2021-3281
BIT-django-2021-3281
CVE-2021-3281
GHSA-fvgf-6h6h-3322
PYSEC-2021-9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:47:05.312465+00:00	Arch Linux Importer	Fixing	VCID-632q-8e7a-aaac	https://security.archlinux.org/AVG-1518	36.0.0
2025-03-28T07:46:43.994194+00:00	Arch Linux Importer	Affected by	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	36.0.0
2024-10-12T00:59:57.782083+00:00	Arch Linux Importer	Fixing	VCID-632q-8e7a-aaac	https://security.archlinux.org/AVG-1518	34.0.2
2024-10-12T00:59:57.173290+00:00	Arch Linux Importer	Affected by	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.2
2024-09-18T02:02:28.840534+00:00	Arch Linux Importer	Fixing	VCID-632q-8e7a-aaac	https://security.archlinux.org/AVG-1518	34.0.1
2024-09-18T02:02:04.801617+00:00	Arch Linux Importer	Affected by	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.1
2024-04-23T19:47:35.316438+00:00	Arch Linux Importer	Fixing	VCID-632q-8e7a-aaac	https://security.archlinux.org/AVG-1518	34.0.0rc4
2024-04-23T19:47:33.789235+00:00	Arch Linux Importer	Affected by	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.0rc4
2024-01-03T22:28:29.660903+00:00	Arch Linux Importer	Fixing	VCID-632q-8e7a-aaac	https://security.archlinux.org/AVG-1518	34.0.0rc1
2024-01-03T22:28:07.348058+00:00	Arch Linux Importer	Affected by	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.0rc1