VulnerableCode Package Details - pkg:deb/ubuntu/python-django@1:1.11.11-1ubuntu1.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-an9k-wmax-aaam Aliases: BIT-2021-33203 BIT-django-2021-33203 CVE-2021-33203 GHSA-68w8-qjq3-2gfm PYSEC-2021-98	Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.	1:1.11.11-1ubuntu1.14 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-an9k-wmax-aaam
Aliases:
BIT-2021-33203
BIT-django-2021-33203
CVE-2021-33203
GHSA-68w8-qjq3-2gfm
PYSEC-2021-98

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

1:1.11.11-1ubuntu1.14
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-he7b-33hj-aaab	In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .	BIT-2021-33571 BIT-django-2021-33571 CVE-2021-33571 GHSA-p99v-5w3c-jqq9 PYSEC-2021-99
VCID-p9fj-m9t4-aaas	In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.	BIT-2021-32052 BIT-django-2021-32052 CVE-2021-32052 GHSA-qm57-vhq3-3fwf PYSEC-2021-8
VCID-r32d-wxg1-aaap	In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.	BIT-2021-31542 BIT-django-2021-31542 CVE-2021-31542 GHSA-rxjp-mfm9-w4wr PYSEC-2021-7

Vulnerability

Summary

Aliases

VCID-he7b-33hj-aaab

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

BIT-2021-33571
BIT-django-2021-33571
CVE-2021-33571
GHSA-p99v-5w3c-jqq9
PYSEC-2021-99

VCID-p9fj-m9t4-aaas

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

BIT-2021-32052
BIT-django-2021-32052
CVE-2021-32052
GHSA-qm57-vhq3-3fwf
PYSEC-2021-8

VCID-r32d-wxg1-aaap

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

BIT-2021-31542
BIT-django-2021-31542
CVE-2021-31542
GHSA-rxjp-mfm9-w4wr
PYSEC-2021-7

Next non-vulnerable version	1:1.11.11-1ubuntu1.14
Latest non-vulnerable version	1:1.11.22-1ubuntu1.4
Risk	4.0