Update dependency django to v3.2.17 [SECURITY] #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
e7baed8
to
13a7a05
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
13a7a05
to
e837fb0
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
e837fb0
to
c3af545
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
c3af545
to
fd41643
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
fd41643
to
b4439f1
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
b4439f1
to
e022b08
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
e022b08
to
e7f327e
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
e7f327e
to
02fe681
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
02fe681
to
557933e
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
557933e
to
9bfb526
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
9bfb526
to
be6ed06
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
be6ed06
to
81ab82b
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
81ab82b
to
27f19ec
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
27f19ec
to
83e7163
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
83e7163
to
18cb835
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
18cb835
to
9e3cbbf
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
9e3cbbf
to
c8d3235
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
c8d3235
to
6225151
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
2 times, most recently
from
6188088
to
84622c0
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
84622c0
to
0591aac
Compare
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
0591aac
to
305bdf0
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/pypi-django-vulnerability
branch
from
305bdf0
to
a9b72ce
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==3.2.9->==3.2.17Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-28347
A SQL injection issue was discovered in
QuerySet.explain()in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the**optionsargument, and placing the injection payload in an option name.CVE-2022-28346
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
QuerySet.annotate(),aggregate(), andextra()methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed**kwargs.CVE-2021-45116
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
CVE-2021-45115
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
UserAttributeSimilarityValidatorincurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
CVE-2023-36053
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3,
EmailValidatorandURLValidatorare subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
CVE-2022-23833
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
CVE-2023-24580
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
CVE-2023-31047
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
CVE-2023-46695
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2022-34265
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The
Trunc()andExtract()database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.CVE-2022-41323
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVE-2023-23969
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
CVE-2023-41164
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2023-43665
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2024-24680
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2024-27351
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
CVE-2022-22818
The
{% debug %}template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.Release Notes
django/django (django)
v3.2.17Compare Source
v3.2.16Compare Source
v3.2.15Compare Source
v3.2.14Compare Source
v3.2.13Compare Source
v3.2.12Compare Source
v3.2.11Compare Source
v3.2.10Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.