VulnerableCode Package Details - pkg:deb/ubuntu/python-django@1:1.11.11-1ubuntu1.12

Search for packages

Vulnerability	Summary	Fixed by
VCID-an9k-wmax-aaam Aliases: BIT-2021-33203 BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98	Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.	1:1.11.11-1ubuntu1.14 Affected by 0 other vulnerabilities.
VCID-he7b-33hj-aaab Aliases: BIT-2021-33571 BIT-django-2021-33571 CVE-2021-33571 GHSA-p99v-5w3c-jqq9 PYSEC-2021-99	In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .	1:1.11.11-1ubuntu1.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-p9fj-m9t4-aaas Aliases: BIT-2021-32052 BIT-django-2021-32052 CVE-2021-32052 GHSA-qm57-vhq3-3fwf PYSEC-2021-8	In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.	1:1.11.11-1ubuntu1.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-r32d-wxg1-aaap Aliases: BIT-2021-31542 BIT-django-2021-31542 CVE-2021-31542 GHSA-rxjp-mfm9-w4wr PYSEC-2021-7	In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.	1:1.11.11-1ubuntu1.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-an9k-wmax-aaam
Aliases:
BIT-2021-33203
BIT-django-2021-33203
CVE-2021-33203
GHSA-68w8-qjq3-2gfm
PYSEC-2021-98

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

1:1.11.11-1ubuntu1.14
Affected by 0 other vulnerabilities.

VCID-he7b-33hj-aaab
Aliases:
BIT-2021-33571
BIT-django-2021-33571
CVE-2021-33571
GHSA-p99v-5w3c-jqq9
PYSEC-2021-99

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

1:1.11.11-1ubuntu1.13
Affected by 1 other vulnerability.

VCID-p9fj-m9t4-aaas
Aliases:
BIT-2021-32052
BIT-django-2021-32052
CVE-2021-32052
GHSA-qm57-vhq3-3fwf
PYSEC-2021-8

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

1:1.11.11-1ubuntu1.13
Affected by 1 other vulnerability.

VCID-r32d-wxg1-aaap
Aliases:
BIT-2021-31542
BIT-django-2021-31542
CVE-2021-31542
GHSA-rxjp-mfm9-w4wr
PYSEC-2021-7

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

1:1.11.11-1ubuntu1.13
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-uqjc-jjph-aaaf	In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.	BIT-2021-28658 BIT-django-2021-28658 CVE-2021-28658 GHSA-xgxc-v2qg-chmh PYSEC-2021-6

Vulnerability

Summary

Aliases

VCID-uqjc-jjph-aaaf

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

BIT-2021-28658
BIT-django-2021-28658
CVE-2021-28658
GHSA-xgxc-v2qg-chmh
PYSEC-2021-6

Next non-vulnerable version	1:1.11.11-1ubuntu1.14
Latest non-vulnerable version	1:1.11.22-1ubuntu1.4
Risk	4.0