VulnerableCode Package Details - pkg:alpm/archlinux/python-django@3.1.7-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-uqjc-jjph-aaaf Aliases: BIT-2021-28658 BIT-django-2021-28658 CVE-2021-28658 GHSA-xgxc-v2qg-chmh PYSEC-2021-6	In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.	3.2-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-uqjc-jjph-aaaf
Aliases:
BIT-2021-28658
BIT-django-2021-28658
CVE-2021-28658
GHSA-xgxc-v2qg-chmh
PYSEC-2021-6

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

3.2-1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-y3pv-b3df-aaah	The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.	CVE-2021-23336

Vulnerability

Summary

Aliases

VCID-y3pv-b3df-aaah

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

CVE-2021-23336

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T07:47:04.436829+00:00	Arch Linux Importer	Affected by	VCID-uqjc-jjph-aaaf	https://security.archlinux.org/AVG-1776	36.0.0
2025-03-28T07:46:43.999221+00:00	Arch Linux Importer	Fixing	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	36.0.0
2024-10-12T00:59:57.178660+00:00	Arch Linux Importer	Fixing	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.2
2024-09-18T02:02:27.705480+00:00	Arch Linux Importer	Affected by	VCID-uqjc-jjph-aaaf	https://security.archlinux.org/AVG-1776	34.0.1
2024-09-18T02:02:04.806998+00:00	Arch Linux Importer	Fixing	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.1
2024-04-23T19:47:33.794269+00:00	Arch Linux Importer	Fixing	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.0rc4
2024-01-03T22:28:28.646181+00:00	Arch Linux Importer	Affected by	VCID-uqjc-jjph-aaaf	https://security.archlinux.org/AVG-1776	34.0.0rc1
2024-01-03T22:28:07.352758+00:00	Arch Linux Importer	Fixing	VCID-y3pv-b3df-aaah	https://security.archlinux.org/AVG-1593	34.0.0rc1