diff --git a/docs/content/en/integrations/parsers/file/osv_scanner.md b/docs/content/en/integrations/parsers/file/osv_scanner.md new file mode 100644 index 00000000000..d0e90c2b11d --- /dev/null +++ b/docs/content/en/integrations/parsers/file/osv_scanner.md @@ -0,0 +1,8 @@ +--- +title: "OSV Scanner" +toc_hide: true +--- +Use [OSV-Scanner](https://github.com/google/osv-scanner) to find existing vulnerabilities affecting your project's dependencies. + +### Sample Scan Data +Sample OSV Scanner output can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/osv_scanner). \ No newline at end of file diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index ca023c7fee1..e5559c38a91 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1244,6 +1244,7 @@ def saml2_attrib_map_format(dict): 'HCLAppScan XML': ['title', 'description'], 'KICS Scan': ['file_path', 'line', 'severity', 'description', 'title'], 'MobSF Scan': ['title', 'description', 'severity'], + 'OSV Scan': ['title', 'description', 'severity'], 'Snyk Code Scan': ['vuln_id_from_tool', 'file_path'] } @@ -1455,6 +1456,7 @@ def saml2_attrib_map_format(dict): 'HCLAppScan XML': DEDUPE_ALGO_HASH_CODE, 'KICS Scan': DEDUPE_ALGO_HASH_CODE, 'MobSF Scan': DEDUPE_ALGO_HASH_CODE, + 'OSV Scan': DEDUPE_ALGO_HASH_CODE, 'Nosey Parker Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, } diff --git a/dojo/tools/osv_scanner/__init__.py b/dojo/tools/osv_scanner/__init__.py new file mode 100644 index 00000000000..3ad798a42b3 --- /dev/null +++ b/dojo/tools/osv_scanner/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel-sommer" diff --git a/dojo/tools/osv_scanner/parser.py b/dojo/tools/osv_scanner/parser.py new file mode 100644 index 00000000000..4d6fff7ab43 --- /dev/null +++ b/dojo/tools/osv_scanner/parser.py @@ -0,0 +1,73 @@ +import json +from dojo.models import Finding + + +class OSVScannerParser(object): + + def get_scan_types(self): + return ["OSV Scan"] + + def get_label_for_scan_types(self, scan_type): + return "OSV Scan" + + def get_description_for_scan_types(self, scan_type): + return "OSV scan output can be imported in JSON format (option --format json)." + + def classify_severity(self, input): + if input != "": + if input == "MODERATE": + severity = "Medium" + else: + severity = input.lower().capitalize() + else: + severity = "Low" + return severity + + def get_findings(self, file, test): + try: + data = json.load(file) + except json.decoder.JSONDecodeError: + return [] + findings = list() + for result in data["results"]: + source_path = result["source"]["path"] + source_type = result["source"]["type"] + for package in result["packages"]: + package_name = package["package"]["name"] + package_version = package["package"]["version"] + package_ecosystem = package["package"]["ecosystem"] + for vulnerability in package["vulnerabilities"]: + vulnerabilityid = vulnerability["id"] + vulnerabilitysummary = vulnerability.get("summary", "") + vulnerabilitydetails = vulnerability["details"] + vulnerabilitypackagepurl = vulnerability["affected"][0].get("package", "") + if vulnerabilitypackagepurl != "": + vulnerabilitypackagepurl = vulnerabilitypackagepurl["purl"] + cwe = vulnerability["affected"][0]["database_specific"].get("cwes", None) + if cwe is not None: + cwe = cwe[0]["cweId"] + reference = "" + for ref in vulnerability.get("references"): + reference += ref.get("url") + "\n" + description = vulnerabilitysummary + "\n" + description += "**source_type**: " + source_type + "\n" + description += "**package_ecosystem**: " + package_ecosystem + "\n" + description += "**vulnerabilitydetails**: " + vulnerabilitydetails + "\n" + description += "**vulnerabilitypackagepurl**: " + vulnerabilitypackagepurl + "\n" + sev = vulnerability.get("database_specific", {}).get("severity", "") + finding = Finding( + title=vulnerabilityid + "_" + package_name, + test=test, + description=description, + severity=self.classify_severity(sev), + static_finding=True, + dynamic_finding=False, + component_name=package_name, + component_version=package_version, + cwe=cwe, + cve=vulnerabilityid, + file_path=source_path, + references=reference, + ) + findings.append(finding) + return findings diff --git a/unittests/scans/osv_scanner/many_findings.json b/unittests/scans/osv_scanner/many_findings.json new file mode 100644 index 00000000000..856ff59e77d --- /dev/null +++ b/unittests/scans/osv_scanner/many_findings.json @@ -0,0 +1,12723 @@ +{ + "results": [ + { + "source": { + "path": "/tmpcardmarket-api/composer.lock", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "guzzlehttp/guzzle", + "version": "6.3.3", + "ecosystem": "Packagist" + }, + "vulnerabilities": [ + { + "modified": "2024-02-16T08:21:48Z", + "published": "2022-06-21T16:57:10Z", + "schema_version": "1.6.0", + "id": "GHSA-25mq-v84q-4j7r", + "aliases": [ + "CVE-2022-31090" + ], + "summary": "CURLOPT_HTTPAUTH option not cleared on change of origin", + "details": "### Impact\n\n`Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port.\n\n### Workarounds\n\nIf you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle stream handler backend, rather than curl.\n\n### References\n\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n* [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.5.8" + } + ] + } + ], + "versions": [ + "4.0.0", + "4.0.0-rc.1", + "4.0.0-rc.2", + "4.0.1", + "4.0.2", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.2.0", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "5.0.0", + "5.0.1", + "5.0.2", + "5.0.3", + "5.1.0", + "5.2.0", + "5.3.0", + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4", + "6.0.0", + "6.0.1", + "6.0.2", + "6.1.0", + "6.1.1", + "6.2.0", + "6.2.1", + "6.2.2", + "6.2.3", + "6.3.0", + "6.3.1", + "6.3.2", + "6.3.3", + "6.4.0", + "6.4.1", + "6.5.0", + "6.5.1", + "6.5.2", + "6.5.3", + "6.5.4", + "6.5.5", + "6.5.6", + "6.5.7", + "v1.0.3", + "v1.0.4", + "v2.0.0", + "v2.0.1", + "v2.0.2", + "v2.0.3", + "v2.0.4", + "v2.0.5", + "v2.1.0", + "v2.1.1", + "v2.1.2", + "v2.1.3", + "v2.1.4", + "v2.2.0", + "v2.2.1", + "v2.2.2", + "v2.2.3", + "v2.2.4", + "v2.3.2", + "v2.4.0", + "v2.4.1", + "v2.5.0", + "v2.6.0", + "v2.6.1", + "v2.6.2", + "v2.6.3", + "v2.6.4", + "v2.6.5", + "v2.6.6", + "v2.7.0", + "v2.7.1", + "v2.7.2", + "v2.8.0", + "v2.8.1", + "v2.8.2", + "v2.8.3", + "v2.8.4", + "v2.8.5", + "v2.8.6", + "v2.8.7", + "v2.8.8", + "v3.0.0", + "v3.0.1", + "v3.0.2", + "v3.0.3", + "v3.0.4", + "v3.0.5", + "v3.0.6", + "v3.0.7", + "v3.1.0", + "v3.1.1", + "v3.1.2", + "v3.2.0", + "v3.3.0", + "v3.3.1", + "v3.4.0", + "v3.4.1", + "v3.4.2", + "v3.4.3", + "v3.5.0", + "v3.6.0", + "v3.7.0", + "v3.7.1", + "v3.7.2", + "v3.7.3", + "v3.7.4", + "v3.8.0", + "v3.8.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-25mq-v84q-4j7r/GHSA-25mq-v84q-4j7r.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.4.5" + } + ] + } + ], + "versions": [ + "7.0.0", + "7.0.1", + "7.1.0", + "7.1.1", + "7.2.0", + "7.3.0", + "7.4.0", + "7.4.1", + "7.4.2", + "7.4.3", + "7.4.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-25mq-v84q-4j7r/GHSA-25mq-v84q-4j7r.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31090" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-31090.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/guzzle" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/blob/6.5.8/CHANGELOG.md" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/blob/7.4.5/CHANGELOG.md" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202305-24" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5246" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-212" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-06-21T16:57:10Z", + "nvd_published_at": "2022-06-27T22:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:22:32Z", + "published": "2022-05-25T18:09:55Z", + "schema_version": "1.6.0", + "id": "GHSA-cwmx-hcrq-mhc3", + "aliases": [ + "BIT-drupal-2022-29248", + "CVE-2022-29248" + ], + "summary": "Cross-domain cookie leakage in Guzzle", + "details": "### Impact\n\nPrevious version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.\n\nNote that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' =\u003e true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3.\n\n### Workarounds\n\nIf you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off.\n\n### References\n\n* [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3)\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.5.6" + } + ] + } + ], + "versions": [ + "4.0.0", + "4.0.0-rc.1", + "4.0.0-rc.2", + "4.0.1", + "4.0.2", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.2.0", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "5.0.0", + "5.0.1", + "5.0.2", + "5.0.3", + "5.1.0", + "5.2.0", + "5.3.0", + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4", + "6.0.0", + "6.0.1", + "6.0.2", + "6.1.0", + "6.1.1", + "6.2.0", + "6.2.1", + "6.2.2", + "6.2.3", + "6.3.0", + "6.3.1", + "6.3.2", + "6.3.3", + "6.4.0", + "6.4.1", + "6.5.0", + "6.5.1", + "6.5.2", + "6.5.3", + "6.5.4", + "6.5.5", + "v1.0.3", + "v1.0.4", + "v2.0.0", + "v2.0.1", + "v2.0.2", + "v2.0.3", + "v2.0.4", + "v2.0.5", + "v2.1.0", + "v2.1.1", + "v2.1.2", + "v2.1.3", + "v2.1.4", + "v2.2.0", + "v2.2.1", + "v2.2.2", + "v2.2.3", + "v2.2.4", + "v2.3.2", + "v2.4.0", + "v2.4.1", + "v2.5.0", + "v2.6.0", + "v2.6.1", + "v2.6.2", + "v2.6.3", + "v2.6.4", + "v2.6.5", + "v2.6.6", + "v2.7.0", + "v2.7.1", + "v2.7.2", + "v2.8.0", + "v2.8.1", + "v2.8.2", + "v2.8.3", + "v2.8.4", + "v2.8.5", + "v2.8.6", + "v2.8.7", + "v2.8.8", + "v3.0.0", + "v3.0.1", + "v3.0.2", + "v3.0.3", + "v3.0.4", + "v3.0.5", + "v3.0.6", + "v3.0.7", + "v3.1.0", + "v3.1.1", + "v3.1.2", + "v3.2.0", + "v3.3.0", + "v3.3.1", + "v3.4.0", + "v3.4.1", + "v3.4.2", + "v3.4.3", + "v3.5.0", + "v3.6.0", + "v3.7.0", + "v3.7.1", + "v3.7.2", + "v3.7.3", + "v3.7.4", + "v3.8.0", + "v3.8.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.4.3" + } + ] + } + ], + "versions": [ + "7.0.0", + "7.0.1", + "7.1.0", + "7.1.1", + "7.2.0", + "7.3.0", + "7.4.0", + "7.4.1", + "7.4.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cwmx-hcrq-mhc3/GHSA-cwmx-hcrq-mhc3.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29248" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/pull/3018" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/guzzle" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5246" + }, + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-010" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-565" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-05-25T18:09:55Z", + "nvd_published_at": "2022-05-25T18:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:13:42Z", + "published": "2022-06-09T23:47:25Z", + "schema_version": "1.6.0", + "id": "GHSA-f2wf-25xc-69c9", + "aliases": [ + "BIT-drupal-2022-31042", + "CVE-2022-31042" + ], + "summary": "Failure to strip the Cookie header on change in host or HTTP downgrade", + "details": "### Impact\n\n`Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.\n\n### Workarounds\n\nAn alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.\n\n### References\n\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "6.5.7" + } + ] + } + ], + "versions": [ + "4.0.0", + "4.0.1", + "4.0.2", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.2.0", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "5.0.0", + "5.0.1", + "5.0.2", + "5.0.3", + "5.1.0", + "5.2.0", + "5.3.0", + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4", + "6.0.0", + "6.0.1", + "6.0.2", + "6.1.0", + "6.1.1", + "6.2.0", + "6.2.1", + "6.2.2", + "6.2.3", + "6.3.0", + "6.3.1", + "6.3.2", + "6.3.3", + "6.4.0", + "6.4.1", + "6.5.0", + "6.5.1", + "6.5.2", + "6.5.3", + "6.5.4", + "6.5.5", + "6.5.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-f2wf-25xc-69c9/GHSA-f2wf-25xc-69c9.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.4.4" + } + ] + } + ], + "versions": [ + "7.0.0", + "7.0.1", + "7.1.0", + "7.1.1", + "7.2.0", + "7.3.0", + "7.4.0", + "7.4.1", + "7.4.2", + "7.4.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-f2wf-25xc-69c9/GHSA-f2wf-25xc-69c9.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31042" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-31042.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/guzzle" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5246" + }, + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-011" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-212" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-06-09T23:47:25Z", + "nvd_published_at": "2022-06-10T00:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2023-11-08T04:09:25Z", + "published": "2022-06-21T20:07:16Z", + "schema_version": "1.6.0", + "id": "GHSA-q559-8m2m-g699", + "aliases": [ + "CVE-2022-31091" + ], + "summary": "Change in port should be considered a change in origin", + "details": "### Impact\n\n`Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme downgrade. Now, we consider any change in host, port or scheme to be a change in origin.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5.\n\n### Workarounds\n\nAn alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.\n\n### References\n\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n* [CVE-2022-27776](https://curl.se/docs/CVE-2022-27776.html)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.5.8" + } + ] + } + ], + "versions": [ + "4.0.0", + "4.0.0-rc.1", + "4.0.0-rc.2", + "4.0.1", + "4.0.2", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.2.0", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "5.0.0", + "5.0.1", + "5.0.2", + "5.0.3", + "5.1.0", + "5.2.0", + "5.3.0", + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4", + "6.0.0", + "6.0.1", + "6.0.2", + "6.1.0", + "6.1.1", + "6.2.0", + "6.2.1", + "6.2.2", + "6.2.3", + "6.3.0", + "6.3.1", + "6.3.2", + "6.3.3", + "6.4.0", + "6.4.1", + "6.5.0", + "6.5.1", + "6.5.2", + "6.5.3", + "6.5.4", + "6.5.5", + "6.5.6", + "6.5.7", + "v1.0.3", + "v1.0.4", + "v2.0.0", + "v2.0.1", + "v2.0.2", + "v2.0.3", + "v2.0.4", + "v2.0.5", + "v2.1.0", + "v2.1.1", + "v2.1.2", + "v2.1.3", + "v2.1.4", + "v2.2.0", + "v2.2.1", + "v2.2.2", + "v2.2.3", + "v2.2.4", + "v2.3.2", + "v2.4.0", + "v2.4.1", + "v2.5.0", + "v2.6.0", + "v2.6.1", + "v2.6.2", + "v2.6.3", + "v2.6.4", + "v2.6.5", + "v2.6.6", + "v2.7.0", + "v2.7.1", + "v2.7.2", + "v2.8.0", + "v2.8.1", + "v2.8.2", + "v2.8.3", + "v2.8.4", + "v2.8.5", + "v2.8.6", + "v2.8.7", + "v2.8.8", + "v3.0.0", + "v3.0.1", + "v3.0.2", + "v3.0.3", + "v3.0.4", + "v3.0.5", + "v3.0.6", + "v3.0.7", + "v3.1.0", + "v3.1.1", + "v3.1.2", + "v3.2.0", + "v3.3.0", + "v3.3.1", + "v3.4.0", + "v3.4.1", + "v3.4.2", + "v3.4.3", + "v3.5.0", + "v3.6.0", + "v3.7.0", + "v3.7.1", + "v3.7.2", + "v3.7.3", + "v3.7.4", + "v3.8.0", + "v3.8.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-q559-8m2m-g699/GHSA-q559-8m2m-g699.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.4.5" + } + ] + } + ], + "versions": [ + "7.0.0", + "7.0.1", + "7.1.0", + "7.1.1", + "7.2.0", + "7.3.0", + "7.4.0", + "7.4.1", + "7.4.2", + "7.4.3", + "7.4.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-q559-8m2m-g699/GHSA-q559-8m2m-g699.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31091" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-31091.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/guzzle" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202305-24" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5246" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-06-21T20:07:16Z", + "nvd_published_at": "2022-06-27T22:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:16:31Z", + "published": "2022-06-09T23:47:23Z", + "schema_version": "1.6.0", + "id": "GHSA-w248-ffj2-4v5q", + "aliases": [ + "BIT-drupal-2022-31043", + "CVE-2022-31043" + ], + "summary": "Fix failure to strip Authorization header on HTTP downgrade", + "details": "### Impact\n\n`Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.\n\n### Workarounds\n\nAn alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.\n\n### References\n\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "6.5.7" + } + ] + } + ], + "versions": [ + "4.0.0", + "4.0.1", + "4.0.2", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.2.0", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "5.0.0", + "5.0.1", + "5.0.2", + "5.0.3", + "5.1.0", + "5.2.0", + "5.3.0", + "5.3.1", + "5.3.2", + "5.3.3", + "5.3.4", + "6.0.0", + "6.0.1", + "6.0.2", + "6.1.0", + "6.1.1", + "6.2.0", + "6.2.1", + "6.2.2", + "6.2.3", + "6.3.0", + "6.3.1", + "6.3.2", + "6.3.3", + "6.4.0", + "6.4.1", + "6.5.0", + "6.5.1", + "6.5.2", + "6.5.3", + "6.5.4", + "6.5.5", + "6.5.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-w248-ffj2-4v5q/GHSA-w248-ffj2-4v5q.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/guzzle", + "purl": "pkg:composer/guzzlehttp/guzzle" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.0" + }, + { + "fixed": "7.4.4" + } + ] + } + ], + "versions": [ + "7.0.0", + "7.0.1", + "7.1.0", + "7.1.1", + "7.2.0", + "7.3.0", + "7.4.0", + "7.4.1", + "7.4.2", + "7.4.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-w248-ffj2-4v5q/GHSA-w248-ffj2-4v5q.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31043" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-31043.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/guzzle" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5246" + }, + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-011" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200", + "CWE-212", + "CWE-863" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-06-09T23:47:23Z", + "nvd_published_at": "2022-06-10T00:15:00Z", + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-25mq-v84q-4j7r" + ], + "aliases": [ + "CVE-2022-31090", + "GHSA-25mq-v84q-4j7r" + ] + }, + { + "ids": [ + "GHSA-cwmx-hcrq-mhc3" + ], + "aliases": [ + "BIT-drupal-2022-29248", + "CVE-2022-29248", + "GHSA-cwmx-hcrq-mhc3" + ] + }, + { + "ids": [ + "GHSA-f2wf-25xc-69c9" + ], + "aliases": [ + "BIT-drupal-2022-31042", + "CVE-2022-31042", + "GHSA-f2wf-25xc-69c9" + ] + }, + { + "ids": [ + "GHSA-q559-8m2m-g699" + ], + "aliases": [ + "CVE-2022-31091", + "GHSA-q559-8m2m-g699" + ] + }, + { + "ids": [ + "GHSA-w248-ffj2-4v5q" + ], + "aliases": [ + "BIT-drupal-2022-31043", + "CVE-2022-31043", + "GHSA-w248-ffj2-4v5q" + ] + } + ] + }, + { + "package": { + "name": "guzzlehttp/psr7", + "version": "1.6.1", + "ecosystem": "Packagist" + }, + "vulnerabilities": [ + { + "modified": "2024-02-16T07:57:21Z", + "published": "2022-03-25T19:26:33Z", + "schema_version": "1.6.0", + "id": "GHSA-q7rv-6hp3-vh96", + "aliases": [ + "BIT-drupal-2022-24775", + "CVE-2022-24775", + "CVE-2023-29197", + "CVE-2023-29530", + "GHSA-wxmh-65f7-jcvw", + "GHSA-xv3h-4844-9h36" + ], + "summary": "Improper Input Validation in guzzlehttp/psr7", + "details": "### Impact\n\nImproper header parsing. An attacker could sneak in a carriage return character (`\\r`) and pass untrusted values in both the header names and values.\n\n### Patches\n\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/psr7", + "purl": "pkg:composer/guzzlehttp/psr7" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.8.4" + } + ] + } + ], + "versions": [ + "1.0.0", + "1.1.0", + "1.2.0", + "1.2.1", + "1.2.2", + "1.2.3", + "1.3.0", + "1.3.1", + "1.4.0", + "1.4.1", + "1.4.2", + "1.5.0", + "1.5.1", + "1.5.2", + "1.6.0", + "1.6.1", + "1.7.0", + "1.8.0", + "1.8.1", + "1.8.2", + "1.8.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/psr7", + "purl": "pkg:composer/guzzlehttp/psr7" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.1.1" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.1.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-q7rv-6hp3-vh96/GHSA-q7rv-6hp3-vh96.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24775" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/psr7" + }, + { + "type": "WEB", + "url": "https://www.drupal.org/sa-core-2022-006" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-03-25T19:26:33Z", + "nvd_published_at": "2022-03-21T19:15:00Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-16T08:15:38Z", + "published": "2023-04-19T18:25:53Z", + "schema_version": "1.6.0", + "id": "GHSA-wxmh-65f7-jcvw", + "aliases": [ + "BIT-drupal-2022-24775", + "CVE-2022-24775", + "CVE-2023-29197", + "CVE-2023-29530", + "GHSA-q7rv-6hp3-vh96", + "GHSA-xv3h-4844-9h36" + ], + "summary": "Improper header name validation in guzzlehttp/psr7", + "details": "### Impact\n\nImproper header parsing. An attacker could sneak in a newline (`\\n`) into both the header names and values. While the specification states that `\\r\\n\\r\\n` is used to terminate the header list, many servers in the wild will also accept `\\n\\n`.\n\n### Patches\n\nThe issue is patched in 1.9.1 and 2.4.5.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4\n", + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/psr7", + "purl": "pkg:composer/guzzlehttp/psr7" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.1" + } + ] + } + ], + "versions": [ + "1.0.0", + "1.1.0", + "1.2.0", + "1.2.1", + "1.2.2", + "1.2.3", + "1.3.0", + "1.3.1", + "1.4.0", + "1.4.1", + "1.4.2", + "1.5.0", + "1.5.1", + "1.5.2", + "1.6.0", + "1.6.1", + "1.7.0", + "1.8.0", + "1.8.1", + "1.8.2", + "1.8.3", + "1.8.4", + "1.8.5", + "1.9.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-wxmh-65f7-jcvw/GHSA-wxmh-65f7-jcvw.json" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "guzzlehttp/psr7", + "purl": "pkg:composer/guzzlehttp/psr7" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.4.5" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.1", + "2.2.2", + "2.3.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.4.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-wxmh-65f7-jcvw/GHSA-wxmh-65f7-jcvw.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96" + }, + { + "type": "WEB", + "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29197" + }, + { + "type": "WEB", + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775" + }, + { + "type": "WEB", + "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/guzzle/psr7" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-436" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-04-19T18:25:53Z", + "nvd_published_at": "2023-04-17T22:15:09Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-q7rv-6hp3-vh96", + "GHSA-wxmh-65f7-jcvw" + ], + "aliases": [ + "BIT-drupal-2022-24775", + "CVE-2022-24775", + "CVE-2023-29197", + "CVE-2023-29530", + "GHSA-q7rv-6hp3-vh96", + "GHSA-wxmh-65f7-jcvw", + "GHSA-xv3h-4844-9h36" + ] + } + ] + } + ] + }, + { + "source": { + "path": "/tmpgapps/requirements.txt", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "jinja2", + "version": "3.0.3", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:18:43Z", + "published": "2024-01-11T15:20:48Z", + "schema_version": "1.6.0", + "id": "GHSA-h5c8-rqwp-cp95", + "aliases": [ + "CVE-2024-22195" + ], + "summary": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", + "details": "The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. Note that accepting keys as user input is not common or a particularly intended use case of the `xmlattr` filter, and an application doing so should already be verifying what keys are provided regardless of this fix.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "jinja2", + "purl": "pkg:pypi/jinja2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.3" + } + ] + } + ], + "versions": [ + "2.0", + "2.0rc1", + "2.1", + "2.1.1", + "2.10", + "2.10.1", + "2.10.2", + "2.10.3", + "2.11.0", + "2.11.1", + "2.11.2", + "2.11.3", + "2.2", + "2.2.1", + "2.3", + "2.3.1", + "2.4", + "2.4.1", + "2.5", + "2.5.1", + "2.5.2", + "2.5.3", + "2.5.4", + "2.5.5", + "2.6", + "2.7", + "2.7.1", + "2.7.2", + "2.7.3", + "2.8", + "2.8.1", + "2.9", + "2.9.1", + "2.9.2", + "2.9.3", + "2.9.4", + "2.9.5", + "2.9.6", + "3.0.0", + "3.0.0a1", + "3.0.0rc1", + "3.0.0rc2", + "3.0.1", + "3.0.2", + "3.0.3", + "3.1.0", + "3.1.1", + "3.1.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h5c8-rqwp-cp95/GHSA-h5c8-rqwp-cp95.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22195" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/commit/716795349a41d4983a9a4771f7d883c96ea17be7" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/jinja" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/jinja/releases/tag/3.1.3" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00010.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5XCWZD464AJJJUBOO7CMPXQ4ROBC6JX2" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DELCVUUYX75I5K4Q5WMJG4MUZJA6VAIP" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O7YWRBX6JQCWC2XXCTZ55C7DPMGICCN3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-01-11T15:20:48Z", + "nvd_published_at": "2024-01-11T03:15:11Z", + "severity": "MODERATE" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-h5c8-rqwp-cp95" + ], + "aliases": [ + "CVE-2024-22195", + "GHSA-h5c8-rqwp-cp95" + ] + } + ] + }, + { + "package": { + "name": "urllib3", + "version": "1.26.17", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:10:31Z", + "published": "2023-10-17T20:15:25Z", + "schema_version": "1.6.0", + "id": "GHSA-g4mx-q9vg-27p4", + "aliases": [ + "CVE-2023-45803", + "PYSEC-2023-212" + ], + "summary": "urllib3's request body not stripped after redirect from 303 status changes request method to GET", + "details": "urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 \"See Other\" after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.\n\nFrom [RFC 9110 Section 9.3.1](https://www.rfc-editor.org/rfc/rfc9110.html#name-get):\n\n\u003e A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.\n\n## Affected usages\n\nBecause the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.\n\nBoth of the following conditions must be true to be affected by this vulnerability:\n\n* If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)\n* The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.\n\n## Remediation\n\nYou can remediate this vulnerability with any of the following steps:\n\n* Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)\n* Disable redirects for services that you aren't expecting to respond with redirects with `redirects=False`.\n* Disable automatic redirects with `redirects=False` and handle 303 redirects manually by stripping the HTTP request body.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.7" + } + ] + } + ], + "versions": [ + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.26.18" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.17", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g4mx-q9vg-27p4/GHSA-g4mx-q9vg-27p4.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45803" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/4e50fbc5db74e32cabd5ccc1ab81fc103adfe0b3" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-212.yaml" + }, + { + "type": "PACKAGE", + "url": "https://github.com/urllib3/urllib3" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/releases/tag/1.26.18" + }, + { + "type": "WEB", + "url": "https://github.com/urllib3/urllib3/releases/tag/2.0.7" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4R2Y5XK3WALSR3FNAGN7JBYV2B343ZKB/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5F5CUBAN5XMEBVBZPHFITBLMJV5FIJJ5/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-10-17T20:15:25Z", + "nvd_published_at": "2023-10-17T20:15:10Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T04:13:39Z", + "published": "2023-10-17T20:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-212", + "aliases": [ + "CVE-2023-45803", + "GHSA-g4mx-q9vg-27p4" + ], + "details": "urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "urllib3", + "purl": "pkg:pypi/urllib3" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4e98d57809dacab1cbe625fddeec1a290c478ea9" + } + ], + "repo": "https://github.com/urllib3/urllib3" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.0.0" + }, + { + "fixed": "2.0.7" + }, + { + "introduced": "0" + }, + { + "fixed": "1.26.18" + } + ] + } + ], + "versions": [ + "0.2", + "0.3", + "0.3.1", + "0.4.0", + "0.4.1", + "1.0", + "1.0.1", + "1.0.2", + "1.1", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.11", + "1.12", + "1.13", + "1.13.1", + "1.14", + "1.15", + "1.15.1", + "1.16", + "1.17", + "1.18", + "1.18.1", + "1.19", + "1.19.1", + "1.2", + "1.2.1", + "1.2.2", + "1.20", + "1.21", + "1.21.1", + "1.22", + "1.23", + "1.24", + "1.24.1", + "1.24.2", + "1.24.3", + "1.25", + "1.25.1", + "1.25.10", + "1.25.11", + "1.25.2", + "1.25.3", + "1.25.4", + "1.25.5", + "1.25.6", + "1.25.7", + "1.25.8", + "1.25.9", + "1.26.0", + "1.26.1", + "1.26.10", + "1.26.11", + "1.26.12", + "1.26.13", + "1.26.14", + "1.26.15", + "1.26.16", + "1.26.17", + "1.26.2", + "1.26.3", + "1.26.4", + "1.26.5", + "1.26.6", + "1.26.7", + "1.26.8", + "1.26.9", + "1.3", + "1.4", + "1.5", + "1.6", + "1.7", + "1.7.1", + "1.8", + "1.8.2", + "1.8.3", + "1.9", + "1.9.1", + "2.0.0", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2023-212.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4" + }, + { + "type": "WEB", + "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-get" + }, + { + "type": "FIX", + "url": "https://github.com/urllib3/urllib3/commit/4e98d57809dacab1cbe625fddeec1a290c478ea9" + }, + { + "type": "ARTICLE", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PPDPLM6UUMN55ESPQWJFLLIZY4ZKCNRX/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-g4mx-q9vg-27p4", + "PYSEC-2023-212" + ], + "aliases": [ + "CVE-2023-45803", + "GHSA-g4mx-q9vg-27p4", + "PYSEC-2023-212" + ] + } + ] + }, + { + "package": { + "name": "werkzeug", + "version": "2.2.3", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:12:37Z", + "published": "2023-10-25T14:22:59Z", + "schema_version": "1.6.0", + "id": "GHSA-hrfv-mqp8-q5rw", + "aliases": [ + "CVE-2023-46136", + "PYSEC-2023-221" + ], + "summary": "Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning", + "details": "Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.1" + } + ] + } + ], + "versions": [ + "3.0.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-hrfv-mqp8-q5rw/GHSA-hrfv-mqp8-q5rw.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "werkzeug.sansio.multipart.MultipartDecoder._parse_data" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.8" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-hrfv-mqp8-q5rw/GHSA-hrfv-mqp8-q5rw.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "werkzeug.sansio.multipart.MultipartDecoder._parse_data" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46136" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9" + }, + { + "type": "WEB", + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2" + }, + { + "type": "PACKAGE", + "url": "https://github.com/pallets/werkzeug" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231124-0008/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-787" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-10-25T14:22:59Z", + "nvd_published_at": "2023-10-25T18:17:36Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T18:38:34Z", + "published": "2023-10-25T18:17:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-221", + "aliases": [ + "CVE-2023-46136", + "GHSA-hrfv-mqp8-q5rw" + ], + "details": "Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "werkzeug", + "purl": "pkg:pypi/werkzeug" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "f3c803b3ade485a45f12b6d6617595350c0f03e2" + }, + { + "fixed": "f2300208d5e2a5076cbbb4c2aad71096fd040ef9" + } + ], + "repo": "https://github.com/pallets/werkzeug" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.3.8" + }, + { + "introduced": "3.0.0" + }, + { + "fixed": "3.0.1" + } + ] + } + ], + "versions": [ + "0.1", + "0.10", + "0.10.1", + "0.10.2", + "0.10.3", + "0.10.4", + "0.11", + "0.11.1", + "0.11.10", + "0.11.11", + "0.11.12", + "0.11.13", + "0.11.14", + "0.11.15", + "0.11.2", + "0.11.3", + "0.11.4", + "0.11.5", + "0.11.6", + "0.11.7", + "0.11.8", + "0.11.9", + "0.12", + "0.12.1", + "0.12.2", + "0.13", + "0.14", + "0.14.1", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.15.4", + "0.15.5", + "0.15.6", + "0.16.0", + "0.16.1", + "0.2", + "0.3", + "0.3.1", + "0.4", + "0.4.1", + "0.5", + "0.5.1", + "0.6", + "0.6.1", + "0.6.2", + "0.7", + "0.7.1", + "0.7.2", + "0.8", + "0.8.1", + "0.8.2", + "0.8.3", + "0.9", + "0.9.1", + "0.9.2", + "0.9.3", + "0.9.4", + "0.9.5", + "0.9.6", + "1.0.0", + "1.0.0rc1", + "1.0.1", + "2.0.0", + "2.0.0rc1", + "2.0.0rc2", + "2.0.0rc3", + "2.0.0rc4", + "2.0.0rc5", + "2.0.1", + "2.0.2", + "2.0.3", + "2.1.0", + "2.1.1", + "2.1.2", + "2.2.0", + "2.2.0a1", + "2.2.1", + "2.2.2", + "2.2.3", + "2.3.0", + "2.3.1", + "2.3.2", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "3.0.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/werkzeug/PYSEC-2023-221.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2" + }, + { + "type": "ADVISORY", + "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-hrfv-mqp8-q5rw", + "PYSEC-2023-221" + ], + "aliases": [ + "CVE-2023-46136", + "GHSA-hrfv-mqp8-q5rw", + "PYSEC-2023-221" + ] + } + ] + } + ] + }, + { + "source": { + "path": "/tmphumble/requirements.txt", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "requests", + "version": "2.29.0", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:09:04Z", + "published": "2023-05-22T20:36:32Z", + "schema_version": "1.6.0", + "id": "GHSA-j8r2-6x86-q33q", + "aliases": [ + "CVE-2023-32681", + "PYSEC-2023-74" + ], + "summary": "Unintended leak of Proxy-Authorization header in requests", + "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP → HTTPS: **leak**\n2. HTTPS → HTTP: **no leak**\n3. HTTPS → HTTPS: **leak**\n4. HTTP → HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "requests.sessions.SessionRedirectMixin.rebuild_proxies" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/psf/requests" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202309-08" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-05-22T20:36:32Z", + "nvd_published_at": "2023-05-26T18:15:14Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T04:12:35Z", + "published": "2023-05-26T18:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-74", + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q" + ], + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + } + ], + "repo": "https://github.com/psf/requests" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "FIX", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ], + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ] + } + ] + } + ] + }, + { + "source": { + "path": "/tmprengine/", + "type": "git" + }, + "packages": [ + { + "package": { + "name": "", + "version": "", + "ecosystem": "", + "commit": "f5f3c22f3ed5a6804a2a8d9ee9fa43044cfa24a6" + }, + "vulnerabilities": [ + { + "modified": "2024-01-09T23:00:42Z", + "published": "2024-01-01T18:15:09Z", + "schema_version": "1.6.0", + "id": "CVE-2023-50094", + "details": "reNgine through 2.0.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output.", + "affected": [ + { + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "fd5a5e5faa1e289cbf421e8aaf6014452efaef1f" + } + ], + "repo": "https://github.com/yogeshojha/rengine" + } + ], + "versions": [ + "v0.1", + "v0.2", + "v0.3", + "v0.5", + "v1.0", + "v1.0.1", + "v1.0.2", + "v1.1.0", + "v1.2.0", + "v1.3.0", + "v1.3.1", + "v1.3.2", + "v1.3.3", + "v1.3.4", + "v1.3.5", + "v1.3.6", + "v2.0.0", + "v2.0.1", + "v2.0.2" + ], + "database_specific": { + "source": "https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50094.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://www.mattz.io/posts/cve-2023-50094/" + }, + { + "type": "WEB", + "url": "https://github.com/yogeshojha/rengine/blob/5e120bd5f9dfbd1da82a193e8c9702e483d38d22/web/api/views.py#L195" + }, + { + "type": "WEB", + "url": "https://github.com/yogeshojha/rengine/releases" + }, + { + "type": "WEB", + "url": "https://github.com/yogeshojha/rengine/security" + } + ] + } + ], + "groups": [ + { + "ids": [ + "CVE-2023-50094" + ], + "aliases": [ + "CVE-2023-50094" + ] + } + ] + } + ] + }, + { + "source": { + "path": "/tmprengine/web/requirements.txt", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "django", + "version": "3.2.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-18T05:31:29Z", + "published": "2022-04-13T00:00:33Z", + "schema_version": "1.6.0", + "id": "GHSA-2gwj-7jmv-h26r", + "aliases": [ + "BIT-django-2022-28346", + "CVE-2022-28346", + "PYSEC-2022-190" + ], + "summary": "SQL Injection in Django", + "details": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.28" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.27", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.annotate", + "django.db.models.QuerySet.aggregate", + "django.db.models.QuerySet.extra" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.13" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.annotate", + "django.db.models.QuerySet.aggregate", + "django.db.models.QuerySet.extra" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.4" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-2gwj-7jmv-h26r/GHSA-2gwj-7jmv-h26r.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.annotate", + "django.db.models.QuerySet.aggregate", + "django.db.models.QuerySet.extra" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28346" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2gwj-7jmv-h26r" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-190.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220609-0002" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-04-22T20:33:03Z", + "nvd_published_at": "2022-04-12T05:15:00Z", + "severity": "CRITICAL" + } + }, + { + "modified": "2024-02-18T05:33:39Z", + "published": "2023-02-15T03:30:47Z", + "schema_version": "1.6.0", + "id": "GHSA-2hrw-hx67-34x6", + "aliases": [ + "BIT-django-2023-24580", + "CVE-2023-24580", + "PYSEC-2023-13" + ], + "summary": "Resource exhaustion in Django", + "details": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.18" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2hrw-hx67-34x6/GHSA-2hrw-hx67-34x6.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.7" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2hrw-hx67-34x6/GHSA-2hrw-hx67-34x6.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.10" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2hrw-hx67-34x6/GHSA-2hrw-hx67-34x6.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24580" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/628b33a854a9c68ec8a0c51f382f304a0044ec92" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/83f1ea83e4553e211c1c5a0dfc197b66d4e50432" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.1/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00023.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20230316-0006" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-15T17:42:14Z", + "nvd_published_at": "2023-02-15T01:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-18T05:31:53Z", + "published": "2022-01-12T19:20:53Z", + "schema_version": "1.6.0", + "id": "GHSA-53qw-q765-4fww", + "aliases": [ + "BIT-django-2021-45115", + "CVE-2021-45115", + "PYSEC-2022-1" + ], + "summary": "Denial-of-service in Django", + "details": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. `UserAttributeSimilarityValidator` incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.26" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.11" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "4.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-53qw-q765-4fww/GHSA-53qw-q765-4fww.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45115" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220121-0005" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-01-12T19:18:33Z", + "nvd_published_at": "2022-01-05T00:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:11:59Z", + "published": "2022-02-04T00:00:26Z", + "schema_version": "1.6.0", + "id": "GHSA-6cw3-g6wv-c2xv", + "aliases": [ + "BIT-django-2022-23833", + "CVE-2022-23833", + "PYSEC-2022-20" + ], + "summary": "Infinite Loop in Django", + "details": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.27" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6cw3-g6wv-c2xv/GHSA-6cw3-g6wv-c2xv.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.12" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6cw3-g6wv-c2xv/GHSA-6cw3-g6wv-c2xv.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.2" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6cw3-g6wv-c2xv/GHSA-6cw3-g6wv-c2xv.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23833" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220221-0003" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-835" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-02-04T16:30:27Z", + "nvd_published_at": "2022-02-03T02:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:10:39Z", + "published": "2023-11-03T06:36:29Z", + "schema_version": "1.6.0", + "id": "GHSA-7h4p-27mh-hmrw", + "aliases": [ + "BIT-django-2023-41164", + "CVE-2023-41164", + "PYSEC-2023-225" + ], + "summary": "Django Denial of service vulnerability in django.utils.encoding.uri_to_iri", + "details": "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.21" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-7h4p-27mh-hmrw/GHSA-7h4p-27mh-hmrw.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.encoding.uri_to_iri" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1" + }, + { + "fixed": "4.1.11" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1", + "4.1.10", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-7h4p-27mh-hmrw/GHSA-7h4p-27mh-hmrw.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.encoding.uri_to_iri" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.5" + } + ] + } + ], + "versions": [ + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-7h4p-27mh-hmrw/GHSA-7h4p-27mh-hmrw.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.encoding.uri_to_iri" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41164" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-225.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231214-0002" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1284", + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-11-03T19:32:41Z", + "nvd_published_at": "2023-11-03T05:15:29Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-16T08:16:17Z", + "published": "2022-01-12T19:21:10Z", + "schema_version": "1.6.0", + "id": "GHSA-8c5j-9r9f-c6w8", + "aliases": [ + "BIT-django-2021-45116", + "CVE-2021-45116", + "PYSEC-2022-2" + ], + "summary": "Information disclosure in Django", + "details": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.26" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-8c5j-9r9f-c6w8/GHSA-8c5j-9r9f-c6w8.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.template.defaultfilters.dictsort", + "django.template.defaultfilters.dictsortreversed" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.11" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-8c5j-9r9f-c6w8/GHSA-8c5j-9r9f-c6w8.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.template.defaultfilters.dictsort", + "django.template.defaultfilters.dictsortreversed" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "4.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-8c5j-9r9f-c6w8/GHSA-8c5j-9r9f-c6w8.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45116" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/2a8ec7f546d6d5806e221ec948c5146b55bd7489" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220121-0005" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-01-12T19:18:36Z", + "nvd_published_at": "2022-01-05T00:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-18T05:33:36Z", + "published": "2022-08-11T14:49:12Z", + "schema_version": "1.6.0", + "id": "GHSA-8x94-hmjh-97hq", + "aliases": [ + "BIT-django-2022-36359", + "CVE-2022-36359", + "CVE-2022-45442", + "GHSA-2x8x-jmrp-phxw", + "PYSEC-2022-245" + ], + "summary": "Django vulnerable to Reflected File Download attack ", + "details": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.15" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8x94-hmjh-97hq/GHSA-8x94-hmjh-97hq.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8x94-hmjh-97hq/GHSA-8x94-hmjh-97hq.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.15" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8x94-hmjh-97hq/GHSA-8x94-hmjh-97hq.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8x94-hmjh-97hq/GHSA-8x94-hmjh-97hq.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36359" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8x94-hmjh-97hq" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-245.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220915-0008" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-494" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-08-11T14:49:12Z", + "nvd_published_at": "2022-08-03T14:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:20:51Z", + "published": "2022-02-04T00:00:33Z", + "schema_version": "1.6.0", + "id": "GHSA-95rw-fx8r-36v6", + "aliases": [ + "BIT-django-2022-22818", + "CVE-2022-22818", + "PYSEC-2022-19" + ], + "summary": "Cross-site Scripting in Django", + "details": "The `{% debug %}` template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.27" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-95rw-fx8r-36v6/GHSA-95rw-fx8r-36v6.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.12" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-95rw-fx8r-36v6/GHSA-95rw-fx8r-36v6.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.2" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-95rw-fx8r-36v6/GHSA-95rw-fx8r-36v6.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22818" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220221-0003/" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-02-04T16:10:27Z", + "nvd_published_at": "2022-02-03T02:15:00Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-16T08:16:14Z", + "published": "2023-11-03T06:36:30Z", + "schema_version": "1.6.0", + "id": "GHSA-h8gc-pgj2-vjm3", + "aliases": [ + "BIT-django-2023-43665", + "CVE-2023-43665", + "PYSEC-2023-226" + ], + "summary": "Django Denial-of-service in django.utils.text.Truncator", + "details": "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.22" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.text.Truncator" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1" + }, + { + "fixed": "4.1.12" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1", + "4.1.10", + "4.1.11", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.text.Truncator" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.6" + } + ] + } + ], + "versions": [ + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-h8gc-pgj2-vjm3/GHSA-h8gc-pgj2-vjm3.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.utils.text.Truncator" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43665" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c7b7024742250414e426ad49fb80db943e7ba4e8" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-226.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJFRPUHDYJHBH3KYHSPGULQM4JN7BMSU/" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1284", + "CWE-400" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-11-03T19:35:28Z", + "nvd_published_at": "2023-11-03T05:15:30Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-17T05:33:58Z", + "published": "2023-07-03T15:30:45Z", + "schema_version": "1.6.0", + "id": "GHSA-jh3w-4vvf-mjgr", + "aliases": [ + "BIT-django-2023-36053", + "CVE-2023-36053", + "PYSEC-2023-100" + ], + "summary": "Django has regular expression denial of service vulnerability in EmailValidator/URLValidator", + "details": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.20" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-jh3w-4vvf-mjgr/GHSA-jh3w-4vvf-mjgr.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.core.validators.URLValidator", + "django.core.validators.EmailValidator" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.1.10" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.10", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9", + "4.1a1", + "4.1b1", + "4.1rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-jh3w-4vvf-mjgr/GHSA-jh3w-4vvf-mjgr.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.core.validators.URLValidator", + "django.core.validators.EmailValidator" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.3" + } + ] + } + ], + "versions": [ + "4.2", + "4.2.1", + "4.2.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-jh3w-4vvf-mjgr/GHSA-jh3w-4vvf-mjgr.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.core.validators.URLValidator", + "django.core.validators.EmailValidator" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36053" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2023/dsa-5465" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1333" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-07-05T22:45:55Z", + "nvd_published_at": "2023-07-03T13:15:09Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-18T05:43:17Z", + "published": "2022-01-12T19:21:04Z", + "schema_version": "1.6.0", + "id": "GHSA-jrh2-hc4r-7jwx", + "aliases": [ + "BIT-django-2021-45452", + "CVE-2021-45452", + "PYSEC-2022-3" + ], + "summary": "Directory-traversal in Django", + "details": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2.0" + }, + { + "fixed": "2.2.26" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jrh2-hc4r-7jwx/GHSA-jrh2-hc4r-7jwx.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.11" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jrh2-hc4r-7jwx/GHSA-jrh2-hc4r-7jwx.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "4.0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jrh2-hc4r-7jwx/GHSA-jrh2-hc4r-7jwx.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45452" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/4cb35b384ceef52123fc66411a73c36a706825e1" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/e1592e0f26302e79856cc7f2218ae848ae19b0f6" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220121-0005" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-01-12T19:17:35Z", + "nvd_published_at": "2022-01-05T00:15:00Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-16T08:05:51Z", + "published": "2022-07-05T00:00:53Z", + "schema_version": "1.6.0", + "id": "GHSA-p64x-8rxx-wf6q", + "aliases": [ + "BIT-django-2022-34265", + "CVE-2022-34265", + "PYSEC-2022-213" + ], + "summary": "Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection", + "details": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.14" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-p64x-8rxx-wf6q/GHSA-p64x-8rxx-wf6q.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.functions.Trunc", + "django.db.models.functions.Extract" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.6" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-p64x-8rxx-wf6q/GHSA-p64x-8rxx-wf6q.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.functions.Trunc", + "django.db.models.functions.Extract" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34265" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-p64x-8rxx-wf6q" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20220818-0006" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-07-05T21:08:03Z", + "nvd_published_at": "2022-07-04T16:15:00Z", + "severity": "CRITICAL" + } + }, + { + "modified": "2024-02-18T05:33:42Z", + "published": "2023-02-01T21:30:23Z", + "schema_version": "1.6.0", + "id": "GHSA-q2jf-h9jm-m7p4", + "aliases": [ + "BIT-django-2023-23969", + "CVE-2023-23969", + "PYSEC-2023-12" + ], + "summary": "Django contains Uncontrolled Resource Consumption via cached header", + "details": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2a1" + }, + { + "fixed": "3.2.17" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "3.2a1", + "3.2b1", + "3.2rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-q2jf-h9jm-m7p4/GHSA-q2jf-h9jm-m7p4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0a1" + }, + { + "fixed": "4.0.9" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0a1", + "4.0b1", + "4.0rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-q2jf-h9jm-m7p4/GHSA-q2jf-h9jm-m7p4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1a1" + }, + { + "fixed": "4.1.6" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1a1", + "4.1b1", + "4.1rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-q2jf-h9jm-m7p4/GHSA-q2jf-h9jm-m7p4.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23969" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.1/releases/security" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00000.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20230302-0007" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-770" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-02-03T21:07:17Z", + "nvd_published_at": "2023-02-01T19:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:23:41Z", + "published": "2023-11-02T06:30:25Z", + "schema_version": "1.6.0", + "id": "GHSA-qmf9-6jqf-j8fq", + "aliases": [ + "CVE-2023-46695", + "PYSEC-2023-222" + ], + "summary": "Django potential denial of service vulnerability in UsernameField on Windows", + "details": "An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.23" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.22", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qmf9-6jqf-j8fq/GHSA-qmf9-6jqf-j8fq.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.0" + }, + { + "fixed": "4.1.13" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1", + "4.1.10", + "4.1.11", + "4.1.12", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qmf9-6jqf-j8fq/GHSA-qmf9-6jqf-j8fq.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.7" + } + ] + } + ], + "versions": [ + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5", + "4.2.6" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qmf9-6jqf-j8fq/GHSA-qmf9-6jqf-j8fq.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46695" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/4965bfdde2e5a5c883685019e57d123a3368a75e" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-222.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20231214-0001" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400", + "CWE-770" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-11-02T21:26:14Z", + "nvd_published_at": "2023-11-02T06:15:08Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-18T05:32:12Z", + "published": "2022-10-16T12:00:23Z", + "schema_version": "1.6.0", + "id": "GHSA-qrw5-5h28-6cmg", + "aliases": [ + "BIT-django-2022-41323", + "CVE-2022-41323", + "PYSEC-2022-304" + ], + "summary": "Django denial-of-service vulnerability in internationalized URLs", + "details": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. ", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.16" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-qrw5-5h28-6cmg/GHSA-qrw5-5h28-6cmg.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.8" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-qrw5-5h28-6cmg/GHSA-qrw5-5h28-6cmg.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1" + }, + { + "fixed": "4.1.2" + } + ] + } + ], + "versions": [ + "4.1", + "4.1.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-qrw5-5h28-6cmg/GHSA-qrw5-5h28-6cmg.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41323" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-304.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20221124-0001" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2022-10-18T17:10:24Z", + "nvd_published_at": "2022-10-16T06:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-16T08:10:03Z", + "published": "2023-05-07T03:30:17Z", + "schema_version": "1.6.0", + "id": "GHSA-r3xc-prgr-mg9p", + "aliases": [ + "BIT-django-2023-31047", + "CVE-2023-31047", + "PYSEC-2023-61" + ], + "summary": "Django bypasses validation when using one form field to upload multiple files", + "details": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.19" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r3xc-prgr-mg9p/GHSA-r3xc-prgr-mg9p.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.forms.widgets.FileInput" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "4.1.9" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.10", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1a1", + "4.1b1", + "4.1rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r3xc-prgr-mg9p/GHSA-r3xc-prgr-mg9p.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.forms.widgets.FileInput" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2.0" + }, + { + "fixed": "4.2.1" + } + ] + } + ], + "versions": [ + "4.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-r3xc-prgr-mg9p/GHSA-r3xc-prgr-mg9p.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.forms.widgets.FileInput" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31047" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/21b1b1fc03e5f9e9f8c977ee6e35618dd3b353dd" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/e7c3a2ccc3a562328600be05068ed9149e12ce64" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-61.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNEHD6N435OE2XUFGDAAVAXSYWLCUBFD/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20230609-0008/" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-05-09T21:35:46Z", + "nvd_published_at": "2023-05-07T02:15:08Z", + "severity": "CRITICAL" + } + }, + { + "modified": "2024-02-17T05:43:37Z", + "published": "2021-12-09T19:09:37Z", + "schema_version": "1.6.0", + "id": "GHSA-v6rh-hp5x-86rv", + "aliases": [ + "BIT-django-2021-44420", + "CVE-2021-44420", + "PYSEC-2021-439" + ], + "summary": "Potential bypass of an upstream access control based on URL paths in Django", + "details": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.2.25" + } + ] + } + ], + "versions": [ + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.4", + "1.1", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.10.5", + "1.10.6", + "1.10.7", + "1.10.8", + "1.10a1", + "1.10b1", + "1.10rc1", + "1.11", + "1.11.1", + "1.11.10", + "1.11.11", + "1.11.12", + "1.11.13", + "1.11.14", + "1.11.15", + "1.11.16", + "1.11.17", + "1.11.18", + "1.11.2", + "1.11.20", + "1.11.21", + "1.11.22", + "1.11.23", + "1.11.24", + "1.11.25", + "1.11.26", + "1.11.27", + "1.11.28", + "1.11.29", + "1.11.3", + "1.11.4", + "1.11.5", + "1.11.6", + "1.11.7", + "1.11.8", + "1.11.9", + "1.11a1", + "1.11b1", + "1.11rc1", + "1.2", + "1.2.1", + "1.2.2", + "1.2.3", + "1.2.4", + "1.2.5", + "1.2.6", + "1.2.7", + "1.3", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "1.3.6", + "1.3.7", + "1.4", + "1.4.1", + "1.4.10", + "1.4.11", + "1.4.12", + "1.4.13", + "1.4.14", + "1.4.15", + "1.4.16", + "1.4.17", + "1.4.18", + "1.4.19", + "1.4.2", + "1.4.20", + "1.4.21", + "1.4.22", + "1.4.3", + "1.4.4", + "1.4.5", + "1.4.6", + "1.4.7", + "1.4.8", + "1.4.9", + "1.5", + "1.5.1", + "1.5.10", + "1.5.11", + "1.5.12", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "1.5.7", + "1.5.8", + "1.5.9", + "1.6", + "1.6.1", + "1.6.10", + "1.6.11", + "1.6.2", + "1.6.3", + "1.6.4", + "1.6.5", + "1.6.6", + "1.6.7", + "1.6.8", + "1.6.9", + "1.7", + "1.7.1", + "1.7.10", + "1.7.11", + "1.7.2", + "1.7.3", + "1.7.4", + "1.7.5", + "1.7.6", + "1.7.7", + "1.7.8", + "1.7.9", + "1.8", + "1.8.1", + "1.8.10", + "1.8.11", + "1.8.12", + "1.8.13", + "1.8.14", + "1.8.15", + "1.8.16", + "1.8.17", + "1.8.18", + "1.8.19", + "1.8.2", + "1.8.3", + "1.8.4", + "1.8.5", + "1.8.6", + "1.8.7", + "1.8.8", + "1.8.9", + "1.8a1", + "1.8b1", + "1.8b2", + "1.8c1", + "1.9", + "1.9.1", + "1.9.10", + "1.9.11", + "1.9.12", + "1.9.13", + "1.9.2", + "1.9.3", + "1.9.4", + "1.9.5", + "1.9.6", + "1.9.7", + "1.9.8", + "1.9.9", + "1.9a1", + "1.9b1", + "1.9rc1", + "1.9rc2", + "2.0", + "2.0.1", + "2.0.10", + "2.0.12", + "2.0.13", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.0.8", + "2.0.9", + "2.0a1", + "2.0b1", + "2.0rc1", + "2.1", + "2.1.1", + "2.1.10", + "2.1.11", + "2.1.12", + "2.1.13", + "2.1.14", + "2.1.15", + "2.1.2", + "2.1.3", + "2.1.4", + "2.1.5", + "2.1.7", + "2.1.8", + "2.1.9", + "2.1a1", + "2.1b1", + "2.1rc1", + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "2.2a1", + "2.2b1", + "2.2rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-v6rh-hp5x-86rv/GHSA-v6rh-hp5x-86rv.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0" + }, + { + "fixed": "3.1.14" + } + ] + } + ], + "versions": [ + "3.0", + "3.0.1", + "3.0.10", + "3.0.11", + "3.0.12", + "3.0.13", + "3.0.14", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1", + "3.1.1", + "3.1.10", + "3.1.11", + "3.1.12", + "3.1.13", + "3.1.2", + "3.1.3", + "3.1.4", + "3.1.5", + "3.1.6", + "3.1.7", + "3.1.8", + "3.1.9", + "3.1a1", + "3.1b1", + "3.1rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-v6rh-hp5x-86rv/GHSA-v6rh-hp5x-86rv.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.10" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-v6rh-hp5x-86rv/GHSA-v6rh-hp5x-86rv.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44420" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/3.2/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20211229-0006" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "github_reviewed": true, + "github_reviewed_at": "2021-12-09T17:35:08Z", + "nvd_published_at": "2021-12-08T00:15:00Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-18T05:26:48Z", + "published": "2022-04-13T00:00:33Z", + "schema_version": "1.6.0", + "id": "GHSA-w24h-v9qh-8gxj", + "aliases": [ + "BIT-django-2022-28347", + "CVE-2022-28347", + "PYSEC-2022-191" + ], + "summary": "SQL Injection in Django", + "details": "A SQL injection issue was discovered in `QuerySet.explain()` in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the `**options` argument, and placing the injection payload in an option name.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.28" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.27", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-w24h-v9qh-8gxj/GHSA-w24h-v9qh-8gxj.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.explain" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.13" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-w24h-v9qh-8gxj/GHSA-w24h-v9qh-8gxj.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.explain" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.4" + } + ] + } + ], + "versions": [ + "4.0", + "4.0.1", + "4.0.2", + "4.0.3" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-w24h-v9qh-8gxj/GHSA-w24h-v9qh-8gxj.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.QuerySet.explain" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28347" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/00b0fc50e1738c7174c495464a5ef069408a4402" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/29a6c98b4c13af82064f993f0acc6e8fafa4d3f5" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/6723a26e59b0b5429a0c5873941e01a2e1bdbb81" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/9e19accb6e0a00ba77d5a95a91675bf18877c72d" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w24h-v9qh-8gxj" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-191.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI" + }, + { + "type": "WEB", + "url": "https://www.debian.org/security/2022/dsa-5254" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "github_reviewed": true, + "github_reviewed_at": "2022-04-22T20:32:48Z", + "nvd_published_at": "2022-04-12T05:15:00Z", + "severity": "CRITICAL" + } + }, + { + "modified": "2024-02-16T08:15:55Z", + "published": "2021-09-22T17:34:49Z", + "schema_version": "1.6.0", + "id": "GHSA-xpfp-f569-q3p2", + "aliases": [ + "BIT-django-2021-35042", + "CVE-2021-35042", + "PYSEC-2021-109" + ], + "summary": "SQL Injection in Django", + "details": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2.0" + }, + { + "fixed": "3.2.5" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.2", + "3.2.3", + "3.2.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-xpfp-f569-q3p2/GHSA-xpfp-f569-q3p2.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.query.QuerySet.order_by" + ] + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.0.0" + }, + { + "fixed": "3.1.13" + } + ] + } + ], + "versions": [ + "3.0", + "3.0.1", + "3.0.10", + "3.0.11", + "3.0.12", + "3.0.13", + "3.0.14", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1", + "3.1.1", + "3.1.10", + "3.1.11", + "3.1.12", + "3.1.2", + "3.1.3", + "3.1.4", + "3.1.5", + "3.1.6", + "3.1.7", + "3.1.8", + "3.1.9", + "3.1a1", + "3.1b1", + "3.1rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-xpfp-f569-q3p2/GHSA-xpfp-f569-q3p2.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "django.db.models.query.QuerySet.order_by" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35042" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/0bd57a879a0d54920bb9038a732645fb917040e9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/3.2/releases/security/" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/" + }, + { + "type": "WEB", + "url": "https://security.netapp.com/advisory/ntap-20210805-0008/" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2021/07/02/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "github_reviewed": true, + "github_reviewed_at": "2021-07-03T00:06:31Z", + "nvd_published_at": "2021-07-02T10:15:00Z", + "severity": "CRITICAL" + } + }, + { + "modified": "2024-02-17T05:35:02Z", + "published": "2024-02-07T00:30:25Z", + "schema_version": "1.6.0", + "id": "GHSA-xxj9-f6rv-m3x4", + "aliases": [ + "BIT-django-2024-24680", + "CVE-2024-24680", + "PYSEC-2024-28" + ], + "summary": "Django denial-of-service attack in the intcomma template filter", + "details": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.2.24" + } + ] + } + ], + "versions": [ + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.4", + "1.1", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.10", + "1.10.1", + "1.10.2", + "1.10.3", + "1.10.4", + "1.10.5", + "1.10.6", + "1.10.7", + "1.10.8", + "1.10a1", + "1.10b1", + "1.10rc1", + "1.11", + "1.11.1", + "1.11.10", + "1.11.11", + "1.11.12", + "1.11.13", + "1.11.14", + "1.11.15", + "1.11.16", + "1.11.17", + "1.11.18", + "1.11.2", + "1.11.20", + "1.11.21", + "1.11.22", + "1.11.23", + "1.11.24", + "1.11.25", + "1.11.26", + "1.11.27", + "1.11.28", + "1.11.29", + "1.11.3", + "1.11.4", + "1.11.5", + "1.11.6", + "1.11.7", + "1.11.8", + "1.11.9", + "1.11a1", + "1.11b1", + "1.11rc1", + "1.2", + "1.2.1", + "1.2.2", + "1.2.3", + "1.2.4", + "1.2.5", + "1.2.6", + "1.2.7", + "1.3", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "1.3.6", + "1.3.7", + "1.4", + "1.4.1", + "1.4.10", + "1.4.11", + "1.4.12", + "1.4.13", + "1.4.14", + "1.4.15", + "1.4.16", + "1.4.17", + "1.4.18", + "1.4.19", + "1.4.2", + "1.4.20", + "1.4.21", + "1.4.22", + "1.4.3", + "1.4.4", + "1.4.5", + "1.4.6", + "1.4.7", + "1.4.8", + "1.4.9", + "1.5", + "1.5.1", + "1.5.10", + "1.5.11", + "1.5.12", + "1.5.2", + "1.5.3", + "1.5.4", + "1.5.5", + "1.5.6", + "1.5.7", + "1.5.8", + "1.5.9", + "1.6", + "1.6.1", + "1.6.10", + "1.6.11", + "1.6.2", + "1.6.3", + "1.6.4", + "1.6.5", + "1.6.6", + "1.6.7", + "1.6.8", + "1.6.9", + "1.7", + "1.7.1", + "1.7.10", + "1.7.11", + "1.7.2", + "1.7.3", + "1.7.4", + "1.7.5", + "1.7.6", + "1.7.7", + "1.7.8", + "1.7.9", + "1.8", + "1.8.1", + "1.8.10", + "1.8.11", + "1.8.12", + "1.8.13", + "1.8.14", + "1.8.15", + "1.8.16", + "1.8.17", + "1.8.18", + "1.8.19", + "1.8.2", + "1.8.3", + "1.8.4", + "1.8.5", + "1.8.6", + "1.8.7", + "1.8.8", + "1.8.9", + "1.8a1", + "1.8b1", + "1.8b2", + "1.8c1", + "1.9", + "1.9.1", + "1.9.10", + "1.9.11", + "1.9.12", + "1.9.13", + "1.9.2", + "1.9.3", + "1.9.4", + "1.9.5", + "1.9.6", + "1.9.7", + "1.9.8", + "1.9.9", + "1.9a1", + "1.9b1", + "1.9rc1", + "1.9rc2", + "2.0", + "2.0.1", + "2.0.10", + "2.0.12", + "2.0.13", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.0.8", + "2.0.9", + "2.0a1", + "2.0b1", + "2.0rc1", + "2.1", + "2.1.1", + "2.1.10", + "2.1.11", + "2.1.12", + "2.1.13", + "2.1.14", + "2.1.15", + "2.1.2", + "2.1.3", + "2.1.4", + "2.1.5", + "2.1.7", + "2.1.8", + "2.1.9", + "2.1a1", + "2.1b1", + "2.1rc1", + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.27", + "2.2.28", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "2.2a1", + "2.2b1", + "2.2rc1", + "3.0", + "3.0.1", + "3.0.10", + "3.0.11", + "3.0.12", + "3.0.13", + "3.0.14", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.0a1", + "3.0b1", + "3.0rc1", + "3.1", + "3.1.1", + "3.1.10", + "3.1.11", + "3.1.12", + "3.1.13", + "3.1.14", + "3.1.2", + "3.1.3", + "3.1.4", + "3.1.5", + "3.1.6", + "3.1.7", + "3.1.8", + "3.1.9", + "3.1a1", + "3.1b1", + "3.1rc1", + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.22", + "3.2.23", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "3.2a1", + "3.2b1", + "3.2rc1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.10" + } + ] + } + ], + "versions": [ + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5", + "4.2.6", + "4.2.7", + "4.2.8", + "4.2.9" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json" + } + }, + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0" + }, + { + "fixed": "5.0.2" + } + ] + } + ], + "versions": [ + "5.0", + "5.0.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-xxj9-f6rv-m3x4/GHSA-xxj9-f6rv-m3x4.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24680" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/16a8fe18a3b81250f4fa57e3f93f0599dc4895bc" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2" + }, + { + "type": "WEB", + "url": "https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/5.0/releases/security" + }, + { + "type": "PACKAGE", + "url": "https://github.com/django/django" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-28.yaml" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases" + } + ], + "database_specific": { + "cwe_ids": [], + "github_reviewed": true, + "github_reviewed_at": "2024-02-07T17:32:14Z", + "nvd_published_at": "2024-02-06T22:16:15Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-12-06T01:01:17Z", + "published": "2021-07-02T10:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2021-109", + "aliases": [ + "BIT-django-2021-35042", + "CVE-2021-35042", + "GHSA-xpfp-f569-q3p2" + ], + "details": "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.1" + }, + { + "fixed": "3.1.13" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.5" + } + ] + } + ], + "versions": [ + "3.1", + "3.1.1", + "3.1.10", + "3.1.11", + "3.1.12", + "3.1.2", + "3.1.3", + "3.1.4", + "3.1.5", + "3.1.6", + "3.1.7", + "3.1.8", + "3.1.9", + "3.2", + "3.2.1", + "3.2.2", + "3.2.3", + "3.2.4" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2021-109.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/3.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2021/07/02/2" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2021/jul/01/security-releases/" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-xpfp-f569-q3p2" + } + ] + }, + { + "modified": "2023-12-06T01:01:41Z", + "published": "2021-12-08T00:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2021-439", + "aliases": [ + "BIT-django-2021-44420", + "CVE-2021-44420", + "GHSA-v6rh-hp5x-86rv" + ], + "details": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.25" + }, + { + "introduced": "3.1" + }, + { + "fixed": "3.1.14" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.10" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.1", + "3.1.1", + "3.1.10", + "3.1.11", + "3.1.12", + "3.1.13", + "3.1.2", + "3.1.3", + "3.1.4", + "3.1.5", + "3.1.6", + "3.1.7", + "3.1.8", + "3.1.9", + "3.2", + "3.2.1", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2021-439.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/3.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-v6rh-hp5x-86rv" + } + ] + }, + { + "modified": "2023-12-06T01:01:43Z", + "published": "2022-01-05T00:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-1", + "aliases": [ + "BIT-django-2021-45115", + "CVE-2021-45115", + "GHSA-53qw-q765-4fww" + ], + "details": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.26" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.11" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-1.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-53qw-q765-4fww" + } + ] + }, + { + "modified": "2023-12-06T01:01:58Z", + "published": "2022-02-03T02:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-19", + "aliases": [ + "BIT-django-2022-22818", + "CVE-2022-22818", + "GHSA-95rw-fx8r-36v6" + ], + "details": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.27" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.12" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.2" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-19.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-95rw-fx8r-36v6" + } + ] + }, + { + "modified": "2023-12-06T01:02:11Z", + "published": "2022-04-12T05:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-190", + "aliases": [ + "BIT-django-2022-28346", + "CVE-2022-28346", + "GHSA-2gwj-7jmv-h26r" + ], + "details": "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.4" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.13" + }, + { + "introduced": "2.2" + }, + { + "fixed": "2.2.28" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.27", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-190.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2gwj-7jmv-h26r" + } + ] + }, + { + "modified": "2023-12-06T01:02:11Z", + "published": "2022-04-12T05:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-191", + "aliases": [ + "BIT-django-2022-28347", + "CVE-2022-28347", + "GHSA-w24h-v9qh-8gxj" + ], + "details": "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.0" + }, + { + "fixed": "4.0.4" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.13" + }, + { + "introduced": "2.2" + }, + { + "fixed": "2.2.28" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.27", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-191.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/04/11/1" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/apr/11/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-w24h-v9qh-8gxj" + } + ] + }, + { + "modified": "2023-12-06T01:01:43Z", + "published": "2022-01-05T00:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-2", + "aliases": [ + "BIT-django-2021-45116", + "CVE-2021-45116", + "GHSA-8c5j-9r9f-c6w8" + ], + "details": "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.26" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.11" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-2.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8c5j-9r9f-c6w8" + } + ] + }, + { + "modified": "2023-12-06T01:02:02Z", + "published": "2022-02-03T02:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-20", + "aliases": [ + "BIT-django-2022-23833", + "CVE-2022-23833", + "GHSA-6cw3-g6wv-c2xv" + ], + "details": "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.27" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.12" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.2" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.26", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-20.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-6cw3-g6wv-c2xv" + } + ] + }, + { + "modified": "2023-12-06T01:02:23Z", + "published": "2022-07-04T16:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-213", + "aliases": [ + "BIT-django-2022-34265", + "CVE-2022-34265", + "GHSA-p64x-8rxx-wf6q" + ], + "details": "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.14" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.6" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-213.yaml" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/jul/04/security-releases/" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-p64x-8rxx-wf6q" + } + ] + }, + { + "modified": "2023-12-06T01:02:30Z", + "published": "2022-08-03T14:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-245", + "aliases": [ + "BIT-django-2022-36359", + "CVE-2022-36359", + "CVE-2022-45442", + "GHSA-2x8x-jmrp-phxw", + "GHSA-8x94-hmjh-97hq" + ], + "details": "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.15" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.7" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-245.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/g/django-announce/c/8cz--gvaJr4" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2022/08/03/1" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8x94-hmjh-97hq" + } + ] + }, + { + "modified": "2023-12-06T01:01:43Z", + "published": "2022-01-05T00:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-3", + "aliases": [ + "BIT-django-2021-45452", + "CVE-2021-45452", + "GHSA-jrh2-hc4r-7jwx" + ], + "details": "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.2" + }, + { + "fixed": "2.2.26" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.11" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.1" + } + ] + } + ], + "versions": [ + "2.2", + "2.2.1", + "2.2.10", + "2.2.11", + "2.2.12", + "2.2.13", + "2.2.14", + "2.2.15", + "2.2.16", + "2.2.17", + "2.2.18", + "2.2.19", + "2.2.2", + "2.2.20", + "2.2.21", + "2.2.22", + "2.2.23", + "2.2.24", + "2.2.25", + "2.2.3", + "2.2.4", + "2.2.5", + "2.2.6", + "2.2.7", + "2.2.8", + "2.2.9", + "3.2", + "3.2.1", + "3.2.10", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-3.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/jan/04/security-releases/" + }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-jrh2-hc4r-7jwx" + } + ] + }, + { + "modified": "2023-12-06T01:02:36Z", + "published": "2022-10-16T06:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2022-304", + "aliases": [ + "BIT-django-2022-41323", + "CVE-2022-41323", + "GHSA-qrw5-5h28-6cmg" + ], + "details": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5b6b257fa7ec37ff27965358800c67e2dd11c924" + } + ], + "repo": "https://github.com/django/django" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.16" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.8" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.2" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.1", + "4.1.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-304.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.0/releases/security/" + }, + { + "type": "FIX", + "url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-12-06T01:03:05Z", + "published": "2023-07-03T13:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-100", + "aliases": [ + "BIT-django-2023-36053", + "CVE-2023-36053", + "GHSA-jh3w-4vvf-mjgr" + ], + "details": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.2" + }, + { + "fixed": "4.2.3" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.1.10" + }, + { + "introduced": "3.2" + }, + { + "fixed": "3.2.20" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.10", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9", + "4.1a1", + "4.1b1", + "4.1rc1", + "4.2", + "4.2.1", + "4.2.2" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-100.yaml" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases/" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-12-06T01:02:51Z", + "published": "2023-02-01T19:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-12", + "aliases": [ + "BIT-django-2023-23969", + "CVE-2023-23969", + "GHSA-q2jf-h9jm-m7p4" + ], + "details": "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.17" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.9" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.6" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-12.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.1/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2023/feb/01/security-releases/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-12-06T01:02:52Z", + "published": "2023-02-15T01:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-13", + "aliases": [ + "BIT-django-2023-24580", + "CVE-2023-24580", + "GHSA-2hrw-hx67-34x6" + ], + "details": "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.18" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.0.10" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.7" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.0", + "4.0.1", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-13.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.1/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2023/feb/14/security-releases/" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2023/02/14/1" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-11-08T04:13:43Z", + "published": "2023-11-02T06:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-222", + "aliases": [ + "CVE-2023-46695", + "GHSA-qmf9-6jqf-j8fq" + ], + "details": "An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.23" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.13" + }, + { + "introduced": "4.2" + }, + { + "fixed": "4.2.7" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.22", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.1", + "4.1.1", + "4.1.10", + "4.1.11", + "4.1.12", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9", + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5", + "4.2.6" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-222.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2023/nov/01/security-releases/" + } + ] + }, + { + "modified": "2023-11-14T07:57:00Z", + "published": "2023-11-03T05:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-225", + "aliases": [ + "BIT-django-2023-41164", + "CVE-2023-41164", + "GHSA-7h4p-27mh-hmrw" + ], + "details": "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.21" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.11" + }, + { + "introduced": "4.2" + }, + { + "fixed": "4.2.5" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.1", + "4.1.1", + "4.1.10", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9", + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-225.yaml" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2023/sep/04/security-releases/" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-11-14T07:56:55Z", + "published": "2023-11-03T05:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-226", + "aliases": [ + "BIT-django-2023-43665", + "CVE-2023-43665", + "GHSA-h8gc-pgj2-vjm3" + ], + "details": "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.22" + }, + { + "introduced": "4.1" + }, + { + "fixed": "4.1.12" + }, + { + "introduced": "4.2" + }, + { + "fixed": "4.2.6" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.1", + "4.1.1", + "4.1.10", + "4.1.11", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1.9", + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-226.yaml" + } + } + ], + "references": [ + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2023/oct/04/security-releases/" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "WEB", + "url": "https://groups.google.com/forum/#!forum/django-announce" + } + ] + }, + { + "modified": "2023-12-06T01:03:00Z", + "published": "2023-05-07T02:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-61", + "aliases": [ + "BIT-django-2023-31047", + "CVE-2023-31047", + "GHSA-r3xc-prgr-mg9p" + ], + "details": "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.19" + }, + { + "introduced": "4.0" + }, + { + "fixed": "4.1.9" + }, + { + "introduced": "4.2" + }, + { + "fixed": "4.2.1" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.2", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "3.2a1", + "3.2b1", + "3.2rc1", + "4.0", + "4.0.1", + "4.0.10", + "4.0.2", + "4.0.3", + "4.0.4", + "4.0.5", + "4.0.6", + "4.0.7", + "4.0.8", + "4.0.9", + "4.1", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.1.6", + "4.1.7", + "4.1.8", + "4.1a1", + "4.1b1", + "4.1rc1", + "4.2", + "4.2a1", + "4.2b1", + "4.2rc1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2023-61.yaml" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://www.djangoproject.com/weblog/2023/may/03/security-releases/" + }, + { + "type": "ADVISORY", + "url": "https://docs.djangoproject.com/en/4.2/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://groups.google.com/forum/#!forum/django-announce" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A45VKTUVQ2BN6D5ZLZGCM774R6QGFOHW/" + } + ] + }, + { + "modified": "2024-02-16T08:26:32Z", + "published": "2024-02-06T22:16:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-28", + "aliases": [ + "BIT-django-2024-24680", + "CVE-2024-24680", + "GHSA-xxj9-f6rv-m3x4" + ], + "details": "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "django", + "purl": "pkg:pypi/django" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.2" + }, + { + "fixed": "3.2.24" + }, + { + "introduced": "4.2" + }, + { + "fixed": "4.2.10" + }, + { + "introduced": "5.0" + }, + { + "fixed": "5.0.2" + } + ] + } + ], + "versions": [ + "3.2", + "3.2.1", + "3.2.10", + "3.2.11", + "3.2.12", + "3.2.13", + "3.2.14", + "3.2.15", + "3.2.16", + "3.2.17", + "3.2.18", + "3.2.19", + "3.2.2", + "3.2.20", + "3.2.21", + "3.2.22", + "3.2.23", + "3.2.3", + "3.2.4", + "3.2.5", + "3.2.6", + "3.2.7", + "3.2.8", + "3.2.9", + "4.2", + "4.2.1", + "4.2.2", + "4.2.3", + "4.2.4", + "4.2.5", + "4.2.6", + "4.2.7", + "4.2.8", + "4.2.9", + "5.0", + "5.0.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2024-28.yaml" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "WEB", + "url": "https://docs.djangoproject.com/en/5.0/releases/security/" + }, + { + "type": "ARTICLE", + "url": "https://www.djangoproject.com/weblog/2024/feb/06/security-releases/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-2gwj-7jmv-h26r", + "PYSEC-2022-190" + ], + "aliases": [ + "BIT-django-2022-28346", + "CVE-2022-28346", + "GHSA-2gwj-7jmv-h26r", + "PYSEC-2022-190" + ] + }, + { + "ids": [ + "GHSA-2hrw-hx67-34x6", + "PYSEC-2023-13" + ], + "aliases": [ + "BIT-django-2023-24580", + "CVE-2023-24580", + "GHSA-2hrw-hx67-34x6", + "PYSEC-2023-13" + ] + }, + { + "ids": [ + "GHSA-53qw-q765-4fww", + "PYSEC-2022-1" + ], + "aliases": [ + "BIT-django-2021-45115", + "CVE-2021-45115", + "GHSA-53qw-q765-4fww", + "PYSEC-2022-1" + ] + }, + { + "ids": [ + "GHSA-6cw3-g6wv-c2xv", + "PYSEC-2022-20" + ], + "aliases": [ + "BIT-django-2022-23833", + "CVE-2022-23833", + "GHSA-6cw3-g6wv-c2xv", + "PYSEC-2022-20" + ] + }, + { + "ids": [ + "GHSA-7h4p-27mh-hmrw", + "PYSEC-2023-225" + ], + "aliases": [ + "BIT-django-2023-41164", + "CVE-2023-41164", + "GHSA-7h4p-27mh-hmrw", + "PYSEC-2023-225" + ] + }, + { + "ids": [ + "GHSA-8c5j-9r9f-c6w8", + "PYSEC-2022-2" + ], + "aliases": [ + "BIT-django-2021-45116", + "CVE-2021-45116", + "GHSA-8c5j-9r9f-c6w8", + "PYSEC-2022-2" + ] + }, + { + "ids": [ + "GHSA-8x94-hmjh-97hq", + "PYSEC-2022-245" + ], + "aliases": [ + "BIT-django-2022-36359", + "CVE-2022-36359", + "CVE-2022-45442", + "GHSA-2x8x-jmrp-phxw", + "GHSA-8x94-hmjh-97hq", + "PYSEC-2022-245" + ] + }, + { + "ids": [ + "GHSA-95rw-fx8r-36v6", + "PYSEC-2022-19" + ], + "aliases": [ + "BIT-django-2022-22818", + "CVE-2022-22818", + "GHSA-95rw-fx8r-36v6", + "PYSEC-2022-19" + ] + }, + { + "ids": [ + "GHSA-h8gc-pgj2-vjm3", + "PYSEC-2023-226" + ], + "aliases": [ + "BIT-django-2023-43665", + "CVE-2023-43665", + "GHSA-h8gc-pgj2-vjm3", + "PYSEC-2023-226" + ] + }, + { + "ids": [ + "GHSA-jh3w-4vvf-mjgr", + "PYSEC-2023-100" + ], + "aliases": [ + "BIT-django-2023-36053", + "CVE-2023-36053", + "GHSA-jh3w-4vvf-mjgr", + "PYSEC-2023-100" + ] + }, + { + "ids": [ + "GHSA-jrh2-hc4r-7jwx", + "PYSEC-2022-3" + ], + "aliases": [ + "BIT-django-2021-45452", + "CVE-2021-45452", + "GHSA-jrh2-hc4r-7jwx", + "PYSEC-2022-3" + ] + }, + { + "ids": [ + "GHSA-p64x-8rxx-wf6q", + "PYSEC-2022-213" + ], + "aliases": [ + "BIT-django-2022-34265", + "CVE-2022-34265", + "GHSA-p64x-8rxx-wf6q", + "PYSEC-2022-213" + ] + }, + { + "ids": [ + "GHSA-q2jf-h9jm-m7p4", + "PYSEC-2023-12" + ], + "aliases": [ + "BIT-django-2023-23969", + "CVE-2023-23969", + "GHSA-q2jf-h9jm-m7p4", + "PYSEC-2023-12" + ] + }, + { + "ids": [ + "GHSA-qmf9-6jqf-j8fq", + "PYSEC-2023-222" + ], + "aliases": [ + "CVE-2023-46695", + "GHSA-qmf9-6jqf-j8fq", + "PYSEC-2023-222" + ] + }, + { + "ids": [ + "GHSA-qrw5-5h28-6cmg", + "PYSEC-2022-304" + ], + "aliases": [ + "BIT-django-2022-41323", + "CVE-2022-41323", + "GHSA-qrw5-5h28-6cmg", + "PYSEC-2022-304" + ] + }, + { + "ids": [ + "GHSA-r3xc-prgr-mg9p", + "PYSEC-2023-61" + ], + "aliases": [ + "BIT-django-2023-31047", + "CVE-2023-31047", + "GHSA-r3xc-prgr-mg9p", + "PYSEC-2023-61" + ] + }, + { + "ids": [ + "GHSA-v6rh-hp5x-86rv", + "PYSEC-2021-439" + ], + "aliases": [ + "BIT-django-2021-44420", + "CVE-2021-44420", + "GHSA-v6rh-hp5x-86rv", + "PYSEC-2021-439" + ] + }, + { + "ids": [ + "GHSA-w24h-v9qh-8gxj", + "PYSEC-2022-191" + ], + "aliases": [ + "BIT-django-2022-28347", + "CVE-2022-28347", + "GHSA-w24h-v9qh-8gxj", + "PYSEC-2022-191" + ] + }, + { + "ids": [ + "GHSA-xpfp-f569-q3p2", + "PYSEC-2021-109" + ], + "aliases": [ + "BIT-django-2021-35042", + "CVE-2021-35042", + "GHSA-xpfp-f569-q3p2", + "PYSEC-2021-109" + ] + }, + { + "ids": [ + "GHSA-xxj9-f6rv-m3x4", + "PYSEC-2024-28" + ], + "aliases": [ + "BIT-django-2024-24680", + "CVE-2024-24680", + "GHSA-xxj9-f6rv-m3x4", + "PYSEC-2024-28" + ] + } + ] + }, + { + "package": { + "name": "requests", + "version": "2.25.1", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-02-16T08:09:04Z", + "published": "2023-05-22T20:36:32Z", + "schema_version": "1.6.0", + "id": "GHSA-j8r2-6x86-q33q", + "aliases": [ + "CVE-2023-32681", + "PYSEC-2023-74" + ], + "summary": "Unintended leak of Proxy-Authorization header in requests", + "details": "### Impact\n\nSince Requests v2.3.0, Requests has been vulnerable to potentially leaking `Proxy-Authorization` headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how `rebuild_proxies` is used to recompute and [reattach the `Proxy-Authorization` header](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328) to requests when redirected. Note this behavior has _only_ been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. `https://username:password@proxy:8080`).\n\n**Current vulnerable behavior(s):**\n\n1. HTTP → HTTPS: **leak**\n2. HTTPS → HTTP: **no leak**\n3. HTTPS → HTTPS: **leak**\n4. HTTP → HTTP: **no leak**\n\nFor HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.\n\nThe reason this currently works for HTTPS connections in Requests is the `Proxy-Authorization` header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with [`proxy_manager_for`](https://github.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235). This will compute the required proxy headers in `proxy_headers` and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.\n\n### Patches\nStarting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.\n\nFor users with custom adapters, this _may_ be potentially breaking if you were already working around this behavior. The previous functionality of `rebuild_proxies` doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.\n\n### Workarounds\nFor users who are not able to update Requests immediately, there is one potential workaround.\n\nYou may disable redirects by setting `allow_redirects` to `False` on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.\n```\nimport requests\nr = requests.get('http://github.com/', allow_redirects=False)\n```\n\n### Credits\n\nThis vulnerability was discovered and disclosed by the following individuals.\n\nDennis Brinkrolf, Haxolot (https://haxolot.com/)\nTobias Funke, (tobiasfunke93@gmail.com)", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-j8r2-6x86-q33q/GHSA-j8r2-6x86-q33q.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "requests.sessions.SessionRedirectMixin.rebuild_proxies" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32681" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/psf/requests" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml" + }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ" + }, + { + "type": "WEB", + "url": "https://security.gentoo.org/glsa/202309-08" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-05-22T20:36:32Z", + "nvd_published_at": "2023-05-26T18:15:14Z", + "severity": "MODERATE" + } + }, + { + "modified": "2023-11-08T04:12:35Z", + "published": "2023-05-26T18:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-74", + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q" + ], + "details": "Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.\n\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "requests", + "purl": "pkg:pypi/requests" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + } + ], + "repo": "https://github.com/psf/requests" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.3.0" + }, + { + "fixed": "2.31.0" + } + ] + } + ], + "versions": [ + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.12.2", + "2.12.3", + "2.12.4", + "2.12.5", + "2.13.0", + "2.14.0", + "2.14.1", + "2.14.2", + "2.15.0", + "2.15.1", + "2.16.0", + "2.16.1", + "2.16.2", + "2.16.3", + "2.16.4", + "2.16.5", + "2.17.0", + "2.17.1", + "2.17.2", + "2.17.3", + "2.18.0", + "2.18.1", + "2.18.2", + "2.18.3", + "2.18.4", + "2.19.0", + "2.19.1", + "2.20.0", + "2.20.1", + "2.21.0", + "2.22.0", + "2.23.0", + "2.24.0", + "2.25.0", + "2.25.1", + "2.26.0", + "2.27.0", + "2.27.1", + "2.28.0", + "2.28.1", + "2.28.2", + "2.29.0", + "2.3.0", + "2.30.0", + "2.4.0", + "2.4.1", + "2.4.2", + "2.4.3", + "2.5.0", + "2.5.1", + "2.5.2", + "2.5.3", + "2.6.0", + "2.6.1", + "2.6.2", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "2.9.1", + "2.9.2" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/requests/PYSEC-2023-74.yaml" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q" + }, + { + "type": "WEB", + "url": "https://github.com/psf/requests/releases/tag/v2.31.0" + }, + { + "type": "FIX", + "url": "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ], + "aliases": [ + "CVE-2023-32681", + "GHSA-j8r2-6x86-q33q", + "PYSEC-2023-74" + ] + } + ] + }, + { + "package": { + "name": "selenium", + "version": "3.141.0", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "requirements" + ], + "vulnerabilities": [ + { + "modified": "2023-11-08T04:13:47Z", + "published": "2023-10-15T23:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-206", + "aliases": [ + "CVE-2023-5590" + ], + "details": "NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "selenium", + "purl": "pkg:pypi/selenium" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "023a0d52f106321838ab1c0997e76693f4dcbdf6" + } + ], + "repo": "https://github.com/seleniumhq/selenium" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.14.0" + } + ] + } + ], + "versions": [ + "0.9.2", + "1.0.1", + "1.0.3", + "2.0-dev", + "2.0-dev-9138", + "2.0-dev-9212", + "2.0-dev-9231", + "2.0-dev-9284", + "2.0-dev-9306", + "2.0-dev-9307", + "2.0-dev-9310", + "2.0-dev-9338", + "2.0-dev-9340", + "2.0-dev-9341", + "2.0-dev-9429", + "2.0.0", + "2.0.1", + "2.0a5", + "2.0b2", + "2.0b3", + "2.0b3dev", + "2.0b4dev", + "2.0dev1", + "2.0dev2", + "2.0dev3", + "2.0dev4", + "2.0dev5", + "2.0dev6", + "2.0rc1", + "2.0rc2", + "2.0rc3", + "2.1.0", + "2.10.0", + "2.11.0", + "2.11.1", + "2.12.0", + "2.12.1", + "2.13.0", + "2.13.1", + "2.14.0", + "2.15.0", + "2.16.0", + "2.17.0", + "2.18.1", + "2.19.0", + "2.19.1", + "2.2.0", + "2.20.0", + "2.21.0", + "2.21.1", + "2.21.2", + "2.21.3", + "2.22.0", + "2.22.1", + "2.23.0", + "2.24.0", + "2.25.0", + "2.26.0", + "2.27.0", + "2.28.0", + "2.29.0", + "2.3.0", + "2.30.0", + "2.31.0", + "2.32.0", + "2.33.0", + "2.34.0", + "2.35.0", + "2.36.0", + "2.37.0", + "2.37.1", + "2.37.2", + "2.38.0", + "2.38.1", + "2.38.2", + "2.38.3", + "2.38.4", + "2.39.0", + "2.4.0", + "2.40.0", + "2.41.0", + "2.42.0", + "2.42.1", + "2.43.0", + "2.44.0", + "2.45.0", + "2.46.0", + "2.46.1", + "2.47.0", + "2.47.1", + "2.47.2", + "2.47.3", + "2.48.0", + "2.49.0", + "2.49.1", + "2.49.2", + "2.5.0", + "2.50.0", + "2.50.1", + "2.51.0", + "2.51.1", + "2.52.0", + "2.53.0", + "2.53.1", + "2.53.2", + "2.53.3", + "2.53.4", + "2.53.5", + "2.53.6", + "2.6.0", + "2.7.0", + "2.8.0", + "2.8.1", + "2.9.0", + "3.0.0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.1", + "3.0.2", + "3.10.0", + "3.11.0", + "3.12.0", + "3.13.0", + "3.14.0", + "3.14.1", + "3.141.0", + "3.3.0", + "3.3.1", + "3.3.2", + "3.3.3", + "3.4.0", + "3.4.1", + "3.4.2", + "3.4.3", + "3.5.0", + "3.6.0", + "3.7.0", + "3.8.0", + "3.8.1", + "3.9.0", + "4.0.0", + "4.0.0.a7", + "4.0.0.b1", + "4.0.0.b2", + "4.0.0.b2.post1", + "4.0.0.b3", + "4.0.0.b4", + "4.0.0.rc1", + "4.0.0a1", + "4.0.0a3", + "4.0.0a5", + "4.0.0a6", + "4.0.0a6.post1", + "4.0.0a6.post2", + "4.0.0rc2", + "4.0.0rc3", + "4.1.0", + "4.1.1", + "4.1.2", + "4.1.3", + "4.1.4", + "4.1.5", + "4.10.0", + "4.11.0", + "4.11.1", + "4.11.2", + "4.12.0", + "4.13.0", + "4.2.0", + "4.3.0", + "4.4.0", + "4.4.1", + "4.4.2", + "4.4.3", + "4.5.0", + "4.6.0", + "4.6.1", + "4.7.0", + "4.7.1", + "4.7.2", + "4.8.0", + "4.8.1", + "4.8.2", + "4.8.3", + "4.9.0", + "4.9.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/selenium/PYSEC-2023-206.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/seleniumhq/selenium/commit/023a0d52f106321838ab1c0997e76693f4dcbdf6" + }, + { + "type": "WEB", + "url": "https://huntr.dev/bounties/e268cd68-4f34-49bd-878b-82b96dcc0c99" + } + ] + } + ], + "groups": [ + { + "ids": [ + "PYSEC-2023-206" + ], + "aliases": [ + "CVE-2023-5590", + "PYSEC-2023-206" + ] + } + ] + } + ] + }, + { + "source": { + "path": "/tmptrivy-dojo-report-operator/poetry.lock", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "aiohttp", + "version": "3.8.6", + "ecosystem": "PyPI" + }, + "vulnerabilities": [ + { + "modified": "2024-02-18T05:33:41Z", + "published": "2024-01-29T22:31:03Z", + "schema_version": "1.6.0", + "id": "GHSA-5h86-8mv2-jq9f", + "aliases": [ + "CVE-2024-23334", + "PYSEC-2024-24" + ], + "summary": "aiohttp is vulnerable to directory traversal", + "details": "### Summary\nImproperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.\n\n### Details\nWhen using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.\n\ni.e. An application is only vulnerable with setup code like:\n```\napp.router.add_routes([\n web.static(\"/static\", \"static/\", follow_symlinks=True), # Remove follow_symlinks to avoid the vulnerability\n])\n```\n\n### Impact\nThis is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with `follow_symlinks` set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the `follow_symlinks` parameter.\n\n### Workaround\nEven if upgrading to a patched version of aiohttp, we recommend following these steps regardless.\n\nIf using `follow_symlinks=True` outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location _within_ the static root directory, it is _only_ intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.\n\nAdditionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and _not_ to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8079/files", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.5" + }, + { + "fixed": "3.9.2" + } + ] + } + ], + "versions": [ + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0", + "3.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-5h86-8mv2-jq9f/GHSA-5h86-8mv2-jq9f.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23334" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8079" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8079/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:31:03Z", + "nvd_published_at": "2024-01-29T23:15:08Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-18T05:33:44Z", + "published": "2024-01-29T22:30:07Z", + "schema_version": "1.6.0", + "id": "GHSA-8qpw-xqxj-h4r2", + "aliases": [ + "CVE-2024-23829", + "PYSEC-2024-26" + ], + "summary": "aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators", + "details": "### Summary\nSecurity-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.\n\n### Details\nThese problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:\n\n1. The expression `HTTP/(\\d).(\\d)` lacked another backslash to clarify that the separator should be a literal dot, not just *any* Unicode code point (result: `HTTP/(\\d)\\.(\\d)`).\n\n2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.\n\n3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 `token`.\n\n### PoC\n`GET / HTTP/1ö1`\n`GET / HTTP/1.𝟙`\n`GET/: HTTP/1.1`\n`Content-Encoding?: chunked`\n\n### Impact\nPrimarily concerns running an aiohttp server without llhttp:\n 1. **behind a proxy**: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.\n 2. **directly accessible** or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/pull/8074/files", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.2" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0", + "3.9.1" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8qpw-xqxj-h4r2/GHSA-8qpw-xqxj-h4r2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23829" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/3235" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8074" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/8074/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-01-29T22:30:07Z", + "nvd_published_at": "2024-01-29T23:15:08Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-02-17T05:34:27Z", + "published": "2023-11-27T23:17:42Z", + "schema_version": "1.6.0", + "id": "GHSA-q3qx-c6g2-7pw2", + "aliases": [ + "CVE-2023-49081", + "PYSEC-2023-250" + ], + "summary": "aiohttp's ClientSession is vulnerable to CRLF injection via version", + "details": "### Summary\nImproper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.\n\n### Details\nThe vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).\nFor example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the `version` parameter.\nFurthermore, the vulnerability only occurs when the `Connection` header is passed to the `headers` parameter.\n\nAt this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.\n\n### PoC\nThe POC below shows an example of providing an unvalidated array as a version:\nhttps://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e\n\n### Impact\nCRLF injection leading to Request Smuggling.\n\n### Workaround\nIf these specific conditions are met and you are unable to upgrade, then validate the user input to the `version` parameter to ensure it is a `str`.\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7835/files", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-q3qx-c6g2-7pw2/GHSA-q3qx-c6g2-7pw2.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49081" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7835/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b" + }, + { + "type": "WEB", + "url": "https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-250.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-11-27T23:17:42Z", + "nvd_published_at": "2023-11-30T07:15:08Z", + "severity": "HIGH" + } + }, + { + "modified": "2024-02-17T05:31:49Z", + "published": "2023-11-27T23:17:24Z", + "schema_version": "1.6.0", + "id": "GHSA-qvrw-v9rv-5rjx", + "aliases": [ + "CVE-2023-49082", + "PYSEC-2023-251" + ], + "summary": "aiohttp's ClientSession is vulnerable to CRLF injection via method", + "details": "### Summary\nImproper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.\n\n### Details\nThe vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.\n\nPrevious releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.\n\n### PoC\nA minimal example can be found here:\nhttps://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b\n\n### Impact\nIf the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).\n\n### Workaround\nIf unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).\n\nPatch: https://github.com/aio-libs/aiohttp/pull/7806/files", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qvrw-v9rv-5rjx/GHSA-qvrw-v9rv-5rjx.json" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49082" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7806/files" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466" + }, + { + "type": "WEB", + "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "WEB", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2023-251.yaml" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TY5SI6NK5243DEEDQUFKQKW5GQNKQUMA" + }, + { + "type": "WEB", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSYWMP64ZFCTC3VO6RY6EC6VSSMV6I3A" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "github_reviewed": true, + "github_reviewed_at": "2023-11-27T23:17:24Z", + "nvd_published_at": "2023-11-29T20:15:08Z", + "severity": "MODERATE" + } + }, + { + "modified": "2024-01-29T16:41:42Z", + "published": "2023-11-30T07:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-250", + "aliases": [ + "CVE-2023-49081", + "GHSA-q3qx-c6g2-7pw2" + ], + "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1e86b777e61cf4eefc7d92fa57fa19dcc676013b" + } + ], + "repo": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2023-250.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2" + }, + { + "type": "WEB", + "url": "https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7835/files" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b" + } + ] + }, + { + "modified": "2024-01-29T16:41:42Z", + "published": "2023-11-29T20:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2023-251", + "aliases": [ + "CVE-2023-49082", + "GHSA-qvrw-v9rv-5rjx" + ], + "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "e4ae01c2077d2cfa116aa82e4ff6866857f7c466" + } + ], + "repo": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.0" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2023-251.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx" + }, + { + "type": "WEB", + "url": "https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b" + }, + { + "type": "WEB", + "url": "https://github.com/aio-libs/aiohttp/pull/7806/files" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/commit/e4ae01c2077d2cfa116aa82e4ff6866857f7c466" + } + ] + }, + { + "modified": "2024-02-05T20:43:19Z", + "published": "2024-01-29T23:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-24", + "aliases": [ + "CVE-2024-23334", + "GHSA-5h86-8mv2-jq9f" + ], + "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1c335944d6a8b1298baf179b7c0b3069f10c514b" + } + ], + "repo": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.0.5" + }, + { + "fixed": "3.9.2" + } + ] + } + ], + "versions": [ + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0", + "3.9.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2024-24.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/pull/8079" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b" + }, + { + "type": "ARTICLE", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + } + ] + }, + { + "modified": "2024-02-06T20:41:46Z", + "published": "2024-01-29T23:15:00Z", + "schema_version": "1.6.0", + "id": "PYSEC-2024-26", + "aliases": [ + "CVE-2024-23829", + "GHSA-8qpw-xqxj-h4r2" + ], + "details": "aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "aiohttp", + "purl": "pkg:pypi/aiohttp" + }, + "ranges": [ + { + "type": "GIT", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "33ccdfb0a12690af5bb49bda2319ec0907fa7827" + } + ], + "repo": "https://github.com/aio-libs/aiohttp" + }, + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.9.2" + } + ] + } + ], + "versions": [ + "0.1", + "0.10.0", + "0.10.1", + "0.10.2", + "0.11.0", + "0.12.0", + "0.13.0", + "0.13.1", + "0.14.0", + "0.14.1", + "0.14.2", + "0.14.3", + "0.14.4", + "0.15.0", + "0.15.1", + "0.15.2", + "0.15.3", + "0.16.0", + "0.16.1", + "0.16.2", + "0.16.3", + "0.16.4", + "0.16.5", + "0.16.6", + "0.17.0", + "0.17.1", + "0.17.2", + "0.17.3", + "0.17.4", + "0.18.0", + "0.18.1", + "0.18.2", + "0.18.3", + "0.18.4", + "0.19.0", + "0.2", + "0.20.0", + "0.20.1", + "0.20.2", + "0.21.0", + "0.21.1", + "0.21.2", + "0.21.4", + "0.21.5", + "0.21.6", + "0.22.0", + "0.22.0a0", + "0.22.0b0", + "0.22.0b1", + "0.22.0b2", + "0.22.0b3", + "0.22.0b4", + "0.22.0b5", + "0.22.0b6", + "0.22.1", + "0.22.2", + "0.22.3", + "0.22.4", + "0.22.5", + "0.3", + "0.4", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4", + "0.5.0", + "0.6.0", + "0.6.1", + "0.6.2", + "0.6.3", + "0.6.4", + "0.6.5", + "0.7.0", + "0.7.1", + "0.7.2", + "0.7.3", + "0.8.0", + "0.8.1", + "0.8.2", + "0.8.3", + "0.8.4", + "0.9.0", + "0.9.1", + "0.9.2", + "0.9.3", + "1.0.0", + "1.0.1", + "1.0.2", + "1.0.3", + "1.0.5", + "1.1.0", + "1.1.1", + "1.1.2", + "1.1.3", + "1.1.4", + "1.1.5", + "1.1.6", + "1.2.0", + "1.3.0", + "1.3.1", + "1.3.2", + "1.3.3", + "1.3.4", + "1.3.5", + "2.0.0", + "2.0.0rc1", + "2.0.1", + "2.0.2", + "2.0.3", + "2.0.4", + "2.0.5", + "2.0.6", + "2.0.7", + "2.1.0", + "2.2.0", + "2.2.1", + "2.2.2", + "2.2.3", + "2.2.4", + "2.2.5", + "2.3.0", + "2.3.0a1", + "2.3.0a2", + "2.3.0a3", + "2.3.0a4", + "2.3.1", + "2.3.10", + "2.3.1a1", + "2.3.2", + "2.3.2b2", + "2.3.2b3", + "2.3.3", + "2.3.4", + "2.3.5", + "2.3.6", + "2.3.7", + "2.3.8", + "2.3.9", + "3.0.0", + "3.0.0b0", + "3.0.0b1", + "3.0.0b2", + "3.0.0b3", + "3.0.0b4", + "3.0.1", + "3.0.2", + "3.0.3", + "3.0.4", + "3.0.5", + "3.0.6", + "3.0.7", + "3.0.8", + "3.0.9", + "3.1.0", + "3.1.1", + "3.1.2", + "3.1.3", + "3.2.0", + "3.2.1", + "3.3.0", + "3.3.0a0", + "3.3.1", + "3.3.2", + "3.3.2a0", + "3.4.0", + "3.4.0a0", + "3.4.0a3", + "3.4.0b1", + "3.4.0b2", + "3.4.1", + "3.4.2", + "3.4.3", + "3.4.4", + "3.5.0", + "3.5.0a1", + "3.5.0b1", + "3.5.0b2", + "3.5.0b3", + "3.5.1", + "3.5.2", + "3.5.3", + "3.5.4", + "3.6.0", + "3.6.0a0", + "3.6.0a1", + "3.6.0a11", + "3.6.0a12", + "3.6.0a2", + "3.6.0a3", + "3.6.0a4", + "3.6.0a5", + "3.6.0a6", + "3.6.0a7", + "3.6.0a8", + "3.6.0a9", + "3.6.0b0", + "3.6.1", + "3.6.1b3", + "3.6.1b4", + "3.6.2", + "3.6.2a0", + "3.6.2a1", + "3.6.2a2", + "3.6.3", + "3.7.0", + "3.7.0b0", + "3.7.0b1", + "3.7.1", + "3.7.2", + "3.7.3", + "3.7.4", + "3.7.4.post0", + "3.8.0", + "3.8.0a7", + "3.8.0b0", + "3.8.1", + "3.8.2", + "3.8.3", + "3.8.4", + "3.8.5", + "3.8.6", + "3.9.0", + "3.9.0b0", + "3.9.0b1", + "3.9.0rc0", + "3.9.1" + ], + "database_specific": { + "source": "https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2024-26.yaml" + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/pull/8074" + }, + { + "type": "FIX", + "url": "https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827" + }, + { + "type": "ARTICLE", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/" + } + ] + } + ], + "groups": [ + { + "ids": [ + "GHSA-5h86-8mv2-jq9f", + "PYSEC-2024-24" + ], + "aliases": [ + "CVE-2024-23334", + "GHSA-5h86-8mv2-jq9f", + "PYSEC-2024-24" + ] + }, + { + "ids": [ + "GHSA-8qpw-xqxj-h4r2", + "PYSEC-2024-26" + ], + "aliases": [ + "CVE-2024-23829", + "GHSA-8qpw-xqxj-h4r2", + "PYSEC-2024-26" + ] + }, + { + "ids": [ + "GHSA-q3qx-c6g2-7pw2", + "PYSEC-2023-250" + ], + "aliases": [ + "CVE-2023-49081", + "GHSA-q3qx-c6g2-7pw2", + "PYSEC-2023-250" + ] + }, + { + "ids": [ + "GHSA-qvrw-v9rv-5rjx", + "PYSEC-2023-251" + ], + "aliases": [ + "CVE-2023-49082", + "GHSA-qvrw-v9rv-5rjx", + "PYSEC-2023-251" + ] + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } + } + \ No newline at end of file diff --git a/unittests/scans/osv_scanner/no_findings.json b/unittests/scans/osv_scanner/no_findings.json new file mode 100644 index 00000000000..e69de29bb2d diff --git a/unittests/scans/osv_scanner/some_findings.json b/unittests/scans/osv_scanner/some_findings.json new file mode 100644 index 00000000000..8cbdbe6415a --- /dev/null +++ b/unittests/scans/osv_scanner/some_findings.json @@ -0,0 +1,106 @@ +{ + "results": [ + { + "source": { + "path": "/tmp/components/yarn.lock", + "type": "lockfile" + }, + "packages": [ + { + "package": { + "name": "flot-axis", + "version": "0.0.0", + "ecosystem": "npm" + }, + "vulnerabilities": [ + { + "modified": "2023-11-08T04:17:07Z", + "published": "2023-08-01T05:29:33Z", + "schema_version": "1.6.0", + "id": "MAL-2023-1035", + "aliases": [ + "GHSA-8348-2q94-ffjx" + ], + "summary": "Malicious code in flot-axis (npm)", + "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (75e800a2dadaa8f5d0ac8a5db1564e97a702c66176c2da0c537191d88cf8fc81)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "flot-axis", + "purl": "pkg:npm/flot-axis" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "cwes": [ + { + "cweId": "CWE-506", + "description": "The product contains code that appears to be malicious in nature.", + "name": "Embedded Malicious Code" + } + ], + "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/flot-axis/MAL-2023-1035.json" + } + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-8348-2q94-ffjx" + } + ], + "database_specific": { + "malicious-packages-origins": [ + { + "id": "GHSA-8348-2q94-ffjx", + "import_time": "2023-08-02T00:26:05.915581218Z", + "modified_time": "2023-08-01T05:29:34Z", + "ranges": [ + { + "events": [ + { + "introduced": "0" + } + ], + "type": "SEMVER" + } + ], + "sha256": "75e800a2dadaa8f5d0ac8a5db1564e97a702c66176c2da0c537191d88cf8fc81", + "source": "ghsa-malware" + } + ] + } + } + ], + "groups": [ + { + "ids": [ + "MAL-2023-1035" + ], + "aliases": [ + "GHSA-8348-2q94-ffjx", + "MAL-2023-1035" + ] + } + ] + } + ] + } + ], + "experimental_config": { + "licenses": { + "summary": false, + "allowlist": null + } + } + } + \ No newline at end of file diff --git a/unittests/tools/test_osv_scanner_parser.py b/unittests/tools/test_osv_scanner_parser.py new file mode 100644 index 00000000000..af7dac0050e --- /dev/null +++ b/unittests/tools/test_osv_scanner_parser.py @@ -0,0 +1,41 @@ +from os import path +from ..dojo_test_case import DojoTestCase +from dojo.tools.osv_scanner.parser import OSVScannerParser +from dojo.models import Test + + +class TestOSVScannerParser(DojoTestCase): + def test_no_findings(self): + with open(path.join(path.dirname(__file__), "../scans/osv_scanner/no_findings.json")) as testfile: + parser = OSVScannerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(0, len(findings)) + + def test_some_findings(self): + with open(path.join(path.dirname(__file__), "../scans/osv_scanner/some_findings.json")) as testfile: + parser = OSVScannerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(1, len(findings)) + finding = findings[0] + self.assertEqual(finding.cwe, "CWE-506") + self.assertEqual(finding.title, "MAL-2023-1035_flot-axis") + self.assertEqual(finding.cve, "MAL-2023-1035") + self.assertEqual(finding.severity, "Low") + + def test_many_findings(self): + with open(path.join(path.dirname(__file__), "../scans/osv_scanner/many_findings.json")) as testfile: + parser = OSVScannerParser() + findings = parser.get_findings(testfile, Test()) + self.assertEqual(66, len(findings)) + finding = findings[0] + self.assertEqual(finding.title, "GHSA-25mq-v84q-4j7r_guzzlehttp/guzzle") + self.assertEqual(finding.cve, "GHSA-25mq-v84q-4j7r") + self.assertEqual(finding.severity, "High") + finding = findings[3] + self.assertEqual(finding.static_finding, True) + self.assertEqual(finding.title, "GHSA-q559-8m2m-g699_guzzlehttp/guzzle") + self.assertEqual(finding.file_path, "/tmpcardmarket-api/composer.lock") + self.assertEqual(finding.component_name, "guzzlehttp/guzzle") + finding = findings[17] + self.assertEqual(finding.references, "https://nvd.nist.gov/vuln/detail/CVE-2021-45115\nhttps://docs.djangoproject.com/en/4.0/releases/security\nhttps://github.com/django/django\nhttps://groups.google.com/forum/#!forum/django-announce\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV\nhttps://security.netapp.com/advisory/ntap-20220121-0005\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases\n") + self.assertEqual(finding.title, "GHSA-53qw-q765-4fww_django")