Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2017-12794
Vulnerability from cvelistv5
Published
2017-09-07 13:00
Modified
2024-08-05 18:51
Severity ?
EPSS score ?
Summary
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/100643 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securitytracker.com/id/1039264 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://usn.ubuntu.com/3559-1/ | ||
| cve@mitre.org | https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100643 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1039264 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3559-1/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ | Patch, Vendor Advisory |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T18:51:07.127Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "USN-3559-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3559-1/", }, { name: "100643", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/100643", }, { name: "1039264", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1039264", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-09-05T00:00:00", descriptions: [ { lang: "en", value: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-03-15T09:57:02", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "USN-3559-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3559-1/", }, { name: "100643", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/100643", }, { name: "1039264", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1039264", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-12794", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "USN-3559-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3559-1/", }, { name: "100643", refsource: "BID", url: "http://www.securityfocus.com/bid/100643", }, { name: "1039264", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039264", }, { name: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", refsource: "CONFIRM", url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2017-12794", datePublished: "2017-09-07T13:00:00", dateReserved: "2017-08-10T00:00:00", dateUpdated: "2024-08-05T18:51:07.127Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { nvd: "{\"cve\":{\"id\":\"CVE-2017-12794\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-09-07T13:29:00.467\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \\\"DEBUG = True\\\" (which makes this page accessible) in your production settings.\"},{\"lang\":\"es\",\"value\":\"En Django versiones 1.10.x anteriores a la 1.10.8 y versiones 1.11.x anteriores a la 1.11.5, se deshabilitó la función de autoescapado HTML en una parte de la plantilla para la página de depuración technical 500. En las condiciones adecuadas, esto permitiría un ataque de Cross-Site Scripting (XSS). Esta vulnerabilidad no debería afectar a la mayoría de sitios de producción, ya que no se debería ejecutar el programa con \\\"DEBUG = True\\\" (lo que hace que esta página sea accesible) en la configuración de producción.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5D2541CE-0462-46DF-BDD8-C19D6E45140B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CE31960-7C68-42F3-B215-B30A87DB67CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3838B8E-8F0E-4F7A-88E6-FFF2590E5302\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D6C6214-7946-4025-84E6-59448CFE75B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58182835-CB1F-4490-AE65-90601DBFD0D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"04AE04CD-E923-4630-9BAA-5A4D5A5D0055\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2517FB1C-B732-432B-9F27-EE60F6556433\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.10.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"28F4BB27-B6AF-47AD-9301-DDFF4198B9F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC58EB0F-6DE0-450B-A963-2CA4084BDE71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.11.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"437E4D87-F5C9-4954-9882-396C0ADF649E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.11.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D64C7397-B2A8-4C93-AC09-337E243A7483\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.11.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4F3CDEA7-EFB7-4F4B-872B-1D18CDE340CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.11.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"08EFE4B2-E975-4842-BCAB-528D03F4AB73\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/100643\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039264\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://usn.ubuntu.com/3559-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.djangoproject.com/weblog/2017/sep/05/security-releases/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/100643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039264\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://usn.ubuntu.com/3559-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.djangoproject.com/weblog/2017/sep/05/security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}", }, }
ghsa-9r8w-6x8c-6jr9
Vulnerability from github
Published
2019-01-04 17:50
Modified
2024-09-18 15:51
Severity ?
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Django vulnerable to XSS on 500 pages
Details
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with DEBUG = True (which makes this page accessible) in your production settings.
{ affected: [ { package: { ecosystem: "PyPI", name: "Django", }, ranges: [ { events: [ { introduced: "1.10a1", }, { fixed: "1.10.8", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "PyPI", name: "Django", }, ranges: [ { events: [ { introduced: "1.11a1", }, { fixed: "1.11.5", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2017-12794", ], database_specific: { cwe_ids: [ "CWE-79", ], github_reviewed: true, github_reviewed_at: "2020-06-16T21:29:31Z", nvd_published_at: null, severity: "MODERATE", }, details: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with `DEBUG = True` (which makes this page accessible) in your production settings.", id: "GHSA-9r8w-6x8c-6jr9", modified: "2024-09-18T15:51:10Z", published: "2019-01-04T17:50:34Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12794", }, { type: "WEB", url: "https://github.com/django/django/commit/58e08e80e362db79eb0fd775dc81faad90dca47a", }, { type: "WEB", url: "https://github.com/django/django/commit/e35a0c56086924f331e9422daa266e907a4784cc", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-9r8w-6x8c-6jr9", }, { type: "PACKAGE", url: "https://github.com/django/django", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2017-44.yaml", }, { type: "WEB", url: "https://usn.ubuntu.com/3559-1", }, { type: "WEB", url: "https://web.archive.org/web/20170927072701/http://www.securitytracker.com/id/1039264", }, { type: "WEB", url: "https://web.archive.org/web/20200227150819/http://www.securityfocus.com/bid/100643", }, { type: "WEB", url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", type: "CVSS_V4", }, ], summary: "Django vulnerable to XSS on 500 pages", }
suse-su-2018:0973-1
Vulnerability from csaf_suse
Published
2018-04-18 06:31
Modified
2018-04-18 06:31
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)
Patchnames
SUSE-OpenStack-Cloud-7-2018-655
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-Django", title: "Title of the patch", }, { category: "description", text: "This update for python-Django fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)\n- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)\n- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)\n- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)\n- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)\n- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)\n- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)\n- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-OpenStack-Cloud-7-2018-655", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_0973-1.json", }, { category: "self", summary: "URL for SUSE-SU-2018:0973-1", url: "https://www.suse.com/support/update/announcement/2018/suse-su-20180973-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2018:0973-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html", }, { category: "self", summary: "SUSE Bug 1001374", url: "https://bugzilla.suse.com/1001374", }, { category: "self", summary: "SUSE Bug 1008047", url: "https://bugzilla.suse.com/1008047", }, { category: "self", summary: "SUSE Bug 1008050", url: "https://bugzilla.suse.com/1008050", }, { category: "self", summary: "SUSE Bug 1031450", url: "https://bugzilla.suse.com/1031450", }, { category: "self", summary: "SUSE Bug 1031451", url: "https://bugzilla.suse.com/1031451", }, { category: "self", summary: "SUSE Bug 1056284", url: "https://bugzilla.suse.com/1056284", }, { category: "self", summary: "SUSE Bug 1083304", url: "https://bugzilla.suse.com/1083304", }, { category: "self", summary: "SUSE Bug 1083305", url: "https://bugzilla.suse.com/1083305", }, { category: "self", summary: "SUSE CVE CVE-2016-7401 page", url: "https://www.suse.com/security/cve/CVE-2016-7401/", }, { category: "self", summary: "SUSE CVE CVE-2016-9013 page", url: "https://www.suse.com/security/cve/CVE-2016-9013/", }, { category: "self", summary: "SUSE CVE CVE-2016-9014 page", url: "https://www.suse.com/security/cve/CVE-2016-9014/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, ], title: "Security update for python-Django", tracking: { current_release_date: "2018-04-18T06:31:23Z", generator: { date: "2018-04-18T06:31:23Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2018:0973-1", initial_release_date: "2018-04-18T06:31:23Z", revision_history: [ { date: "2018-04-18T06:31:23Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-Django-1.8.19-3.4.1.noarch", product: { name: "python-Django-1.8.19-3.4.1.noarch", product_id: "python-Django-1.8.19-3.4.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 7", product: { name: "SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:7", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-Django-1.8.19-3.4.1.noarch as component of SUSE OpenStack Cloud 7", product_id: "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", }, product_reference: "python-Django-1.8.19-3.4.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 7", }, ], }, vulnerabilities: [ { cve: "CVE-2016-7401", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-7401", }, ], notes: [ { category: "general", text: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-7401", url: "https://www.suse.com/security/cve/CVE-2016-7401", }, { category: "external", summary: "SUSE Bug 1001374 for CVE-2016-7401", url: "https://bugzilla.suse.com/1001374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "moderate", }, ], title: "CVE-2016-7401", }, { cve: "CVE-2016-9013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-9013", }, ], notes: [ { category: "general", text: "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-9013", url: "https://www.suse.com/security/cve/CVE-2016-9013", }, { category: "external", summary: "SUSE Bug 1008050 for CVE-2016-9013", url: "https://bugzilla.suse.com/1008050", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "low", }, ], title: "CVE-2016-9013", }, { cve: "CVE-2016-9014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-9014", }, ], notes: [ { category: "general", text: "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-9014", url: "https://www.suse.com/security/cve/CVE-2016-9014", }, { category: "external", summary: "SUSE Bug 1008047 for CVE-2016-9014", url: "https://bugzilla.suse.com/1008047", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "low", }, ], title: "CVE-2016-9014", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-18T06:31:23Z", details: "moderate", }, ], title: "CVE-2018-7537", }, ], }
suse-su-2018:1102-1
Vulnerability from csaf_suse
Published
2018-04-27 13:24
Modified
2018-04-27 13:24
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)
- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary
web site and conduct phishing attacks. (bsc#bnc#967999)
Patchnames
SUSE-OpenStack-Cloud-6-2018-750
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-Django", title: "Title of the patch", }, { category: "description", text: "This update for python-Django fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)\n- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)\n- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)\n- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)\n- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)\n- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)\n- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)\n- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)\n- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary \n web site and conduct phishing attacks. (bsc#bnc#967999)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-OpenStack-Cloud-6-2018-750", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1102-1.json", }, { category: "self", summary: "URL for SUSE-SU-2018:1102-1", url: "https://www.suse.com/support/update/announcement/2018/suse-su-20181102-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2018:1102-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html", }, { category: "self", summary: "SUSE Bug 1001374", url: "https://bugzilla.suse.com/1001374", }, { category: "self", summary: "SUSE Bug 1008047", url: "https://bugzilla.suse.com/1008047", }, { category: "self", summary: "SUSE Bug 1008050", url: "https://bugzilla.suse.com/1008050", }, { category: "self", summary: "SUSE Bug 1031450", url: "https://bugzilla.suse.com/1031450", }, { category: "self", summary: "SUSE Bug 1031451", url: "https://bugzilla.suse.com/1031451", }, { category: "self", summary: "SUSE Bug 1056284", url: "https://bugzilla.suse.com/1056284", }, { category: "self", summary: "SUSE Bug 1083304", url: "https://bugzilla.suse.com/1083304", }, { category: "self", summary: "SUSE Bug 1083305", url: "https://bugzilla.suse.com/1083305", }, { category: "self", summary: "SUSE Bug 967999", url: "https://bugzilla.suse.com/967999", }, { category: "self", summary: "SUSE CVE CVE-2016-2512 page", url: "https://www.suse.com/security/cve/CVE-2016-2512/", }, { category: "self", summary: "SUSE CVE CVE-2016-7401 page", url: "https://www.suse.com/security/cve/CVE-2016-7401/", }, { category: "self", summary: "SUSE CVE CVE-2016-9013 page", url: "https://www.suse.com/security/cve/CVE-2016-9013/", }, { category: "self", summary: "SUSE CVE CVE-2016-9014 page", url: "https://www.suse.com/security/cve/CVE-2016-9014/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, ], title: "Security update for python-Django", tracking: { current_release_date: "2018-04-27T13:24:32Z", generator: { date: "2018-04-27T13:24:32Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2018:1102-1", initial_release_date: "2018-04-27T13:24:32Z", revision_history: [ { date: "2018-04-27T13:24:32Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-Django-1.8.19-3.6.1.noarch", product: { name: "python-Django-1.8.19-3.6.1.noarch", product_id: "python-Django-1.8.19-3.6.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE OpenStack Cloud 6", product: { name: "SUSE OpenStack Cloud 6", product_id: "SUSE OpenStack Cloud 6", product_identification_helper: { cpe: "cpe:/o:suse:suse-openstack-cloud:6", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-Django-1.8.19-3.6.1.noarch as component of SUSE OpenStack Cloud 6", product_id: "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", }, product_reference: "python-Django-1.8.19-3.6.1.noarch", relates_to_product_reference: "SUSE OpenStack Cloud 6", }, ], }, vulnerabilities: [ { cve: "CVE-2016-2512", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-2512", }, ], notes: [ { category: "general", text: "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-2512", url: "https://www.suse.com/security/cve/CVE-2016-2512", }, { category: "external", summary: "SUSE Bug 967999 for CVE-2016-2512", url: "https://bugzilla.suse.com/967999", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.4, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "important", }, ], title: "CVE-2016-2512", }, { cve: "CVE-2016-7401", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-7401", }, ], notes: [ { category: "general", text: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-7401", url: "https://www.suse.com/security/cve/CVE-2016-7401", }, { category: "external", summary: "SUSE Bug 1001374 for CVE-2016-7401", url: "https://bugzilla.suse.com/1001374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "moderate", }, ], title: "CVE-2016-7401", }, { cve: "CVE-2016-9013", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-9013", }, ], notes: [ { category: "general", text: "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-9013", url: "https://www.suse.com/security/cve/CVE-2016-9013", }, { category: "external", summary: "SUSE Bug 1008050 for CVE-2016-9013", url: "https://bugzilla.suse.com/1008050", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "low", }, ], title: "CVE-2016-9013", }, { cve: "CVE-2016-9014", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-9014", }, ], notes: [ { category: "general", text: "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2016-9014", url: "https://www.suse.com/security/cve/CVE-2016-9014", }, { category: "external", summary: "SUSE Bug 1008047 for CVE-2016-9014", url: "https://bugzilla.suse.com/1008047", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "low", }, ], title: "CVE-2016-9014", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-04-27T13:24:32Z", details: "moderate", }, ], title: "CVE-2018-7537", }, ], }
pysec-2017-44
Vulnerability from pysec
Published
2017-09-07 13:29
Modified
2021-07-15 02:22
Details
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Impacted products
| Name | purl |
|---|---|
| django | pkg:pypi/django |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "django", purl: "pkg:pypi/django", }, ranges: [ { events: [ { introduced: "1.10", }, { fixed: "1.10.8", }, { introduced: "1.11", }, { fixed: "1.11.5", }, ], type: "ECOSYSTEM", }, ], versions: [ "1.10", "1.10.1", "1.10.2", "1.10.3", "1.10.4", "1.10.5", "1.10.6", "1.10.7", "1.11", "1.11.1", "1.11.2", "1.11.3", "1.11.4", ], }, ], aliases: [ "CVE-2017-12794", "GHSA-9r8w-6x8c-6jr9", ], details: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", id: "PYSEC-2017-44", modified: "2021-07-15T02:22:10.638315Z", published: "2017-09-07T13:29:00Z", references: [ { type: "ARTICLE", url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, { type: "WEB", url: "http://www.securitytracker.com/id/1039264", }, { type: "WEB", url: "http://www.securityfocus.com/bid/100643", }, { type: "WEB", url: "https://usn.ubuntu.com/3559-1/", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-9r8w-6x8c-6jr9", }, ], }
opensuse-su-2024:14208-1
Vulnerability from csaf_opensuse
Published
2024-07-19 00:00
Modified
2024-07-19 00:00
Summary
python310-Django4-4.2.14-1.1 on GA media
Notes
Title of the patch
python310-Django4-4.2.14-1.1 on GA media
Description of the patch
These are all security issues fixed in the python310-Django4-4.2.14-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14208
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python310-Django4-4.2.14-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python310-Django4-4.2.14-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-14208", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14208-1.json", }, { category: "self", summary: "SUSE CVE CVE-2015-3982 page", url: "https://www.suse.com/security/cve/CVE-2015-3982/", }, { category: "self", summary: "SUSE CVE CVE-2015-5145 page", url: "https://www.suse.com/security/cve/CVE-2015-5145/", }, { category: "self", summary: "SUSE CVE CVE-2015-5963 page", url: "https://www.suse.com/security/cve/CVE-2015-5963/", }, { category: "self", summary: "SUSE CVE CVE-2016-7401 page", url: "https://www.suse.com/security/cve/CVE-2016-7401/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-16984 page", url: "https://www.suse.com/security/cve/CVE-2018-16984/", }, { category: "self", summary: "SUSE CVE CVE-2018-6188 page", url: "https://www.suse.com/security/cve/CVE-2018-6188/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, { category: "self", summary: "SUSE CVE CVE-2019-11358 page", url: "https://www.suse.com/security/cve/CVE-2019-11358/", }, { category: "self", summary: "SUSE CVE CVE-2019-12308 page", url: "https://www.suse.com/security/cve/CVE-2019-12308/", }, { category: "self", summary: "SUSE CVE CVE-2019-12781 page", url: "https://www.suse.com/security/cve/CVE-2019-12781/", }, { category: "self", summary: "SUSE CVE CVE-2019-14232 page", url: "https://www.suse.com/security/cve/CVE-2019-14232/", }, { category: "self", summary: "SUSE CVE CVE-2019-19118 page", url: "https://www.suse.com/security/cve/CVE-2019-19118/", }, { category: "self", summary: "SUSE CVE CVE-2019-19844 page", url: "https://www.suse.com/security/cve/CVE-2019-19844/", }, { category: "self", summary: "SUSE CVE CVE-2019-3498 page", url: "https://www.suse.com/security/cve/CVE-2019-3498/", }, { category: "self", summary: "SUSE CVE CVE-2019-6975 page", url: "https://www.suse.com/security/cve/CVE-2019-6975/", }, { category: "self", summary: "SUSE CVE CVE-2020-13254 page", url: "https://www.suse.com/security/cve/CVE-2020-13254/", }, { category: "self", summary: "SUSE CVE CVE-2020-13596 page", url: "https://www.suse.com/security/cve/CVE-2020-13596/", }, { category: "self", summary: "SUSE CVE CVE-2020-24583 page", url: "https://www.suse.com/security/cve/CVE-2020-24583/", }, { category: "self", summary: "SUSE CVE CVE-2020-24584 page", url: "https://www.suse.com/security/cve/CVE-2020-24584/", }, { category: "self", summary: "SUSE CVE CVE-2020-7471 page", url: "https://www.suse.com/security/cve/CVE-2020-7471/", }, { category: "self", summary: "SUSE CVE CVE-2020-9402 page", url: "https://www.suse.com/security/cve/CVE-2020-9402/", }, { category: "self", summary: "SUSE CVE CVE-2021-31542 page", url: "https://www.suse.com/security/cve/CVE-2021-31542/", }, { category: "self", summary: "SUSE CVE CVE-2021-32052 page", url: "https://www.suse.com/security/cve/CVE-2021-32052/", }, { category: "self", summary: "SUSE CVE CVE-2021-33203 page", url: "https://www.suse.com/security/cve/CVE-2021-33203/", }, { category: "self", summary: "SUSE CVE CVE-2021-33571 page", url: "https://www.suse.com/security/cve/CVE-2021-33571/", }, { category: "self", summary: "SUSE CVE CVE-2021-35042 page", url: "https://www.suse.com/security/cve/CVE-2021-35042/", }, { category: "self", summary: "SUSE CVE CVE-2021-45115 page", url: "https://www.suse.com/security/cve/CVE-2021-45115/", }, { category: "self", summary: "SUSE CVE CVE-2021-45452 page", url: "https://www.suse.com/security/cve/CVE-2021-45452/", }, { category: "self", summary: "SUSE CVE CVE-2022-22818 page", url: "https://www.suse.com/security/cve/CVE-2022-22818/", }, { category: "self", summary: "SUSE CVE CVE-2022-23833 page", url: "https://www.suse.com/security/cve/CVE-2022-23833/", }, { category: "self", summary: "SUSE CVE CVE-2022-28346 page", url: "https://www.suse.com/security/cve/CVE-2022-28346/", }, { category: "self", summary: "SUSE CVE CVE-2022-28347 page", url: "https://www.suse.com/security/cve/CVE-2022-28347/", }, { category: "self", summary: "SUSE CVE CVE-2022-34265 page", url: "https://www.suse.com/security/cve/CVE-2022-34265/", }, { category: "self", summary: "SUSE CVE CVE-2022-36359 page", url: "https://www.suse.com/security/cve/CVE-2022-36359/", }, { category: "self", summary: "SUSE CVE CVE-2022-41323 page", url: "https://www.suse.com/security/cve/CVE-2022-41323/", }, { category: "self", summary: "SUSE CVE CVE-2023-23969 page", url: "https://www.suse.com/security/cve/CVE-2023-23969/", }, { category: "self", summary: "SUSE CVE CVE-2023-24580 page", url: "https://www.suse.com/security/cve/CVE-2023-24580/", }, { category: "self", summary: "SUSE CVE CVE-2023-31047 page", url: "https://www.suse.com/security/cve/CVE-2023-31047/", }, { category: "self", summary: "SUSE CVE CVE-2023-36053 page", url: "https://www.suse.com/security/cve/CVE-2023-36053/", }, { category: "self", summary: "SUSE CVE CVE-2023-41164 page", url: "https://www.suse.com/security/cve/CVE-2023-41164/", }, { category: "self", summary: "SUSE CVE CVE-2023-43665 page", url: "https://www.suse.com/security/cve/CVE-2023-43665/", }, { category: "self", summary: "SUSE CVE CVE-2024-24680 page", url: "https://www.suse.com/security/cve/CVE-2024-24680/", }, { category: "self", summary: "SUSE CVE CVE-2024-27351 page", url: "https://www.suse.com/security/cve/CVE-2024-27351/", }, { category: "self", summary: "SUSE CVE CVE-2024-38875 page", url: "https://www.suse.com/security/cve/CVE-2024-38875/", }, { category: "self", summary: "SUSE CVE CVE-2024-39329 page", url: "https://www.suse.com/security/cve/CVE-2024-39329/", }, { category: "self", summary: "SUSE CVE CVE-2024-39330 page", url: "https://www.suse.com/security/cve/CVE-2024-39330/", }, { category: "self", summary: "SUSE CVE CVE-2024-39614 page", url: "https://www.suse.com/security/cve/CVE-2024-39614/", }, ], title: "python310-Django4-4.2.14-1.1 on GA media", tracking: { current_release_date: "2024-07-19T00:00:00Z", generator: { date: "2024-07-19T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:14208-1", initial_release_date: "2024-07-19T00:00:00Z", revision_history: [ { date: "2024-07-19T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python310-Django4-4.2.14-1.1.aarch64", product: { name: "python310-Django4-4.2.14-1.1.aarch64", product_id: "python310-Django4-4.2.14-1.1.aarch64", }, }, { category: "product_version", name: "python311-Django4-4.2.14-1.1.aarch64", product: { name: "python311-Django4-4.2.14-1.1.aarch64", product_id: "python311-Django4-4.2.14-1.1.aarch64", }, }, { category: "product_version", name: "python312-Django4-4.2.14-1.1.aarch64", product: { name: "python312-Django4-4.2.14-1.1.aarch64", product_id: "python312-Django4-4.2.14-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python310-Django4-4.2.14-1.1.ppc64le", product: { name: "python310-Django4-4.2.14-1.1.ppc64le", product_id: "python310-Django4-4.2.14-1.1.ppc64le", }, }, { category: "product_version", name: "python311-Django4-4.2.14-1.1.ppc64le", product: { name: "python311-Django4-4.2.14-1.1.ppc64le", product_id: "python311-Django4-4.2.14-1.1.ppc64le", }, }, { category: "product_version", name: "python312-Django4-4.2.14-1.1.ppc64le", product: { name: "python312-Django4-4.2.14-1.1.ppc64le", product_id: "python312-Django4-4.2.14-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python310-Django4-4.2.14-1.1.s390x", product: { name: "python310-Django4-4.2.14-1.1.s390x", product_id: "python310-Django4-4.2.14-1.1.s390x", }, }, { category: "product_version", name: "python311-Django4-4.2.14-1.1.s390x", product: { name: "python311-Django4-4.2.14-1.1.s390x", product_id: "python311-Django4-4.2.14-1.1.s390x", }, }, { category: "product_version", name: "python312-Django4-4.2.14-1.1.s390x", product: { name: "python312-Django4-4.2.14-1.1.s390x", product_id: "python312-Django4-4.2.14-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python310-Django4-4.2.14-1.1.x86_64", product: { name: "python310-Django4-4.2.14-1.1.x86_64", product_id: "python310-Django4-4.2.14-1.1.x86_64", }, }, { category: "product_version", name: "python311-Django4-4.2.14-1.1.x86_64", product: { name: "python311-Django4-4.2.14-1.1.x86_64", product_id: "python311-Django4-4.2.14-1.1.x86_64", }, }, { category: "product_version", name: "python312-Django4-4.2.14-1.1.x86_64", product: { name: "python312-Django4-4.2.14-1.1.x86_64", product_id: "python312-Django4-4.2.14-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python310-Django4-4.2.14-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", }, product_reference: "python310-Django4-4.2.14-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django4-4.2.14-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", }, product_reference: "python310-Django4-4.2.14-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django4-4.2.14-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", }, product_reference: "python310-Django4-4.2.14-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django4-4.2.14-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", }, product_reference: "python310-Django4-4.2.14-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django4-4.2.14-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", }, product_reference: "python311-Django4-4.2.14-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django4-4.2.14-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", }, product_reference: "python311-Django4-4.2.14-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django4-4.2.14-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", }, product_reference: "python311-Django4-4.2.14-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django4-4.2.14-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", }, product_reference: "python311-Django4-4.2.14-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django4-4.2.14-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", }, product_reference: "python312-Django4-4.2.14-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django4-4.2.14-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", }, product_reference: "python312-Django4-4.2.14-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django4-4.2.14-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", }, product_reference: "python312-Django4-4.2.14-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django4-4.2.14-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", }, product_reference: "python312-Django4-4.2.14-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3982", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-3982", }, ], notes: [ { category: "general", text: "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-3982", url: "https://www.suse.com/security/cve/CVE-2015-3982", }, { category: "external", summary: "SUSE Bug 932265 for CVE-2015-3982", url: "https://bugzilla.suse.com/932265", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-3982", }, { cve: "CVE-2015-5145", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5145", }, ], notes: [ { category: "general", text: "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5145", url: "https://www.suse.com/security/cve/CVE-2015-5145", }, { category: "external", summary: "SUSE Bug 937524 for CVE-2015-5145", url: "https://bugzilla.suse.com/937524", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2015-5145", }, { cve: "CVE-2015-5963", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5963", }, ], notes: [ { category: "general", text: "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5963", url: "https://www.suse.com/security/cve/CVE-2015-5963", }, { category: "external", summary: "SUSE Bug 941587 for CVE-2015-5963", url: "https://bugzilla.suse.com/941587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-5963", }, { cve: "CVE-2016-7401", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-7401", }, ], notes: [ { category: "general", text: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-7401", url: "https://www.suse.com/security/cve/CVE-2016-7401", }, { category: "external", summary: "SUSE Bug 1001374 for CVE-2016-7401", url: "https://bugzilla.suse.com/1001374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-7401", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-16984", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16984", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16984", url: "https://www.suse.com/security/cve/CVE-2018-16984", }, { category: "external", summary: "SUSE Bug 1109621 for CVE-2018-16984", url: "https://bugzilla.suse.com/1109621", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-16984", }, { cve: "CVE-2018-6188", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6188", }, ], notes: [ { category: "general", text: "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6188", url: "https://www.suse.com/security/cve/CVE-2018-6188", }, { category: "external", summary: "SUSE Bug 1077714 for CVE-2018-6188", url: "https://bugzilla.suse.com/1077714", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2018-6188", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7537", }, { cve: "CVE-2019-11358", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], notes: [ { category: "general", text: "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-11358", url: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-11358", }, { cve: "CVE-2019-12308", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12308", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12308", url: "https://www.suse.com/security/cve/CVE-2019-12308", }, { category: "external", summary: "SUSE Bug 1136468 for CVE-2019-12308", url: "https://bugzilla.suse.com/1136468", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12308", }, { cve: "CVE-2019-12781", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12781", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12781", url: "https://www.suse.com/security/cve/CVE-2019-12781", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-12781", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-12781", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12781", }, { cve: "CVE-2019-14232", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-14232", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-14232", url: "https://www.suse.com/security/cve/CVE-2019-14232", }, { category: "external", summary: "SUSE Bug 1142880 for CVE-2019-14232", url: "https://bugzilla.suse.com/1142880", }, { category: "external", summary: "SUSE Bug 1215978 for CVE-2019-14232", url: "https://bugzilla.suse.com/1215978", }, { category: "external", summary: "SUSE Bug 1220358 for CVE-2019-14232", url: "https://bugzilla.suse.com/1220358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2019-14232", }, { cve: "CVE-2019-19118", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19118", }, ], notes: [ { category: "general", text: "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19118", url: "https://www.suse.com/security/cve/CVE-2019-19118", }, { category: "external", summary: "SUSE Bug 1157705 for CVE-2019-19118", url: "https://bugzilla.suse.com/1157705", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19118", }, { cve: "CVE-2019-19844", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19844", }, ], notes: [ { category: "general", text: "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19844", url: "https://www.suse.com/security/cve/CVE-2019-19844", }, { category: "external", summary: "SUSE Bug 1159447 for CVE-2019-19844", url: "https://bugzilla.suse.com/1159447", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19844", }, { cve: "CVE-2019-3498", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-3498", }, ], notes: [ { category: "general", text: "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-3498", url: "https://www.suse.com/security/cve/CVE-2019-3498", }, { category: "external", summary: "SUSE Bug 1120932 for CVE-2019-3498", url: "https://bugzilla.suse.com/1120932", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-3498", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "low", }, ], title: "CVE-2019-3498", }, { cve: "CVE-2019-6975", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-6975", }, ], notes: [ { category: "general", text: "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-6975", url: "https://www.suse.com/security/cve/CVE-2019-6975", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-6975", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-6975", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-6975", }, { cve: "CVE-2020-13254", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13254", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13254", url: "https://www.suse.com/security/cve/CVE-2020-13254", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13254", }, { cve: "CVE-2020-13596", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13596", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13596", url: "https://www.suse.com/security/cve/CVE-2020-13596", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13596", }, { cve: "CVE-2020-24583", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24583", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24583", url: "https://www.suse.com/security/cve/CVE-2020-24583", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24583", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2020-24583", }, { cve: "CVE-2020-24584", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24584", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24584", url: "https://www.suse.com/security/cve/CVE-2020-24584", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24584", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2020-24584", }, { cve: "CVE-2020-7471", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-7471", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-7471", url: "https://www.suse.com/security/cve/CVE-2020-7471", }, { category: "external", summary: "SUSE Bug 1161919 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161919", }, { category: "external", summary: "SUSE Bug 1161920 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161920", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2020-7471", }, { cve: "CVE-2020-9402", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-9402", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-9402", url: "https://www.suse.com/security/cve/CVE-2020-9402", }, { category: "external", summary: "SUSE Bug 1165022 for CVE-2020-9402", url: "https://bugzilla.suse.com/1165022", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2020-9402", }, { cve: "CVE-2021-31542", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-31542", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-31542", url: "https://www.suse.com/security/cve/CVE-2021-31542", }, { category: "external", summary: "SUSE Bug 1185623 for CVE-2021-31542", url: "https://bugzilla.suse.com/1185623", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-31542", }, { cve: "CVE-2021-32052", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-32052", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-32052", url: "https://www.suse.com/security/cve/CVE-2021-32052", }, { category: "external", summary: "SUSE Bug 1185713 for CVE-2021-32052", url: "https://bugzilla.suse.com/1185713", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-32052", }, { cve: "CVE-2021-33203", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33203", }, ], notes: [ { category: "general", text: "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33203", url: "https://www.suse.com/security/cve/CVE-2021-33203", }, { category: "external", summary: "SUSE Bug 1186608 for CVE-2021-33203", url: "https://bugzilla.suse.com/1186608", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-33203", }, { cve: "CVE-2021-33571", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33571", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33571", url: "https://www.suse.com/security/cve/CVE-2021-33571", }, { category: "external", summary: "SUSE Bug 1186611 for CVE-2021-33571", url: "https://bugzilla.suse.com/1186611", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2021-33571", }, { cve: "CVE-2021-35042", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-35042", }, ], notes: [ { category: "general", text: "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-35042", url: "https://www.suse.com/security/cve/CVE-2021-35042", }, { category: "external", summary: "SUSE Bug 1187785 for CVE-2021-35042", url: "https://bugzilla.suse.com/1187785", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "critical", }, ], title: "CVE-2021-35042", }, { cve: "CVE-2021-45115", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-45115", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-45115", url: "https://www.suse.com/security/cve/CVE-2021-45115", }, { category: "external", summary: "SUSE Bug 1194115 for CVE-2021-45115", url: "https://bugzilla.suse.com/1194115", }, { category: "external", summary: "SUSE Bug 1194117 for CVE-2021-45115", url: "https://bugzilla.suse.com/1194117", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2021-45115", }, { cve: "CVE-2021-45452", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-45452", }, ], notes: [ { category: "general", text: "Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-45452", url: "https://www.suse.com/security/cve/CVE-2021-45452", }, { category: "external", summary: "SUSE Bug 1194116 for CVE-2021-45452", url: "https://bugzilla.suse.com/1194116", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-45452", }, { cve: "CVE-2022-22818", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-22818", }, ], notes: [ { category: "general", text: "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-22818", url: "https://www.suse.com/security/cve/CVE-2022-22818", }, { category: "external", summary: "SUSE Bug 1195086 for CVE-2022-22818", url: "https://bugzilla.suse.com/1195086", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2022-22818", }, { cve: "CVE-2022-23833", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-23833", }, ], notes: [ { category: "general", text: "An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-23833", url: "https://www.suse.com/security/cve/CVE-2022-23833", }, { category: "external", summary: "SUSE Bug 1195088 for CVE-2022-23833", url: "https://bugzilla.suse.com/1195088", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-23833", }, { cve: "CVE-2022-28346", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-28346", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-28346", url: "https://www.suse.com/security/cve/CVE-2022-28346", }, { category: "external", summary: "SUSE Bug 1198398 for CVE-2022-28346", url: "https://bugzilla.suse.com/1198398", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-28346", }, { cve: "CVE-2022-28347", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-28347", }, ], notes: [ { category: "general", text: "A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-28347", url: "https://www.suse.com/security/cve/CVE-2022-28347", }, { category: "external", summary: "SUSE Bug 1198399 for CVE-2022-28347", url: "https://bugzilla.suse.com/1198399", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-28347", }, { cve: "CVE-2022-34265", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-34265", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-34265", url: "https://www.suse.com/security/cve/CVE-2022-34265", }, { category: "external", summary: "SUSE Bug 1201186 for CVE-2022-34265", url: "https://bugzilla.suse.com/1201186", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-34265", }, { cve: "CVE-2022-36359", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-36359", }, ], notes: [ { category: "general", text: "An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-36359", url: "https://www.suse.com/security/cve/CVE-2022-36359", }, { category: "external", summary: "SUSE Bug 1201923 for CVE-2022-36359", url: "https://bugzilla.suse.com/1201923", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-36359", }, { cve: "CVE-2022-41323", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2022-41323", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2022-41323", url: "https://www.suse.com/security/cve/CVE-2022-41323", }, { category: "external", summary: "SUSE Bug 1203793 for CVE-2022-41323", url: "https://bugzilla.suse.com/1203793", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2022-41323", }, { cve: "CVE-2023-23969", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-23969", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-23969", url: "https://www.suse.com/security/cve/CVE-2023-23969", }, { category: "external", summary: "SUSE Bug 1207565 for CVE-2023-23969", url: "https://bugzilla.suse.com/1207565", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2023-23969", }, { cve: "CVE-2023-24580", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-24580", }, ], notes: [ { category: "general", text: "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-24580", url: "https://www.suse.com/security/cve/CVE-2023-24580", }, { category: "external", summary: "SUSE Bug 1208082 for CVE-2023-24580", url: "https://bugzilla.suse.com/1208082", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2023-24580", }, { cve: "CVE-2023-31047", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-31047", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's \"Uploading multiple files\" documentation suggested otherwise.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-31047", url: "https://www.suse.com/security/cve/CVE-2023-31047", }, { category: "external", summary: "SUSE Bug 1210866 for CVE-2023-31047", url: "https://bugzilla.suse.com/1210866", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.6, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2023-31047", }, { cve: "CVE-2023-36053", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-36053", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-36053", url: "https://www.suse.com/security/cve/CVE-2023-36053", }, { category: "external", summary: "SUSE Bug 1212742 for CVE-2023-36053", url: "https://bugzilla.suse.com/1212742", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2023-36053", }, { cve: "CVE-2023-41164", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-41164", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-41164", url: "https://www.suse.com/security/cve/CVE-2023-41164", }, { category: "external", summary: "SUSE Bug 1214667 for CVE-2023-41164", url: "https://bugzilla.suse.com/1214667", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2023-41164", }, { cve: "CVE-2023-43665", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-43665", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-43665", url: "https://www.suse.com/security/cve/CVE-2023-43665", }, { category: "external", summary: "SUSE Bug 1215978 for CVE-2023-43665", url: "https://bugzilla.suse.com/1215978", }, { category: "external", summary: "SUSE Bug 1220358 for CVE-2023-43665", url: "https://bugzilla.suse.com/1220358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2023-43665", }, { cve: "CVE-2024-24680", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-24680", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-24680", url: "https://www.suse.com/security/cve/CVE-2024-24680", }, { category: "external", summary: "SUSE Bug 1219683 for CVE-2024-24680", url: "https://bugzilla.suse.com/1219683", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2024-24680", }, { cve: "CVE-2024-27351", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-27351", }, ], notes: [ { category: "general", text: "In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-27351", url: "https://www.suse.com/security/cve/CVE-2024-27351", }, { category: "external", summary: "SUSE Bug 1220358 for CVE-2024-27351", url: "https://bugzilla.suse.com/1220358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2024-27351", }, { cve: "CVE-2024-38875", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-38875", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-38875", url: "https://www.suse.com/security/cve/CVE-2024-38875", }, { category: "external", summary: "SUSE Bug 1227590 for CVE-2024-38875", url: "https://bugzilla.suse.com/1227590", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2024-38875", }, { cve: "CVE-2024-39329", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-39329", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-39329", url: "https://www.suse.com/security/cve/CVE-2024-39329", }, { category: "external", summary: "SUSE Bug 1227590 for CVE-2024-39329", url: "https://bugzilla.suse.com/1227590", }, { category: "external", summary: "SUSE Bug 1227593 for CVE-2024-39329", url: "https://bugzilla.suse.com/1227593", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "moderate", }, ], title: "CVE-2024-39329", }, { cve: "CVE-2024-39330", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-39330", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-39330", url: "https://www.suse.com/security/cve/CVE-2024-39330", }, { category: "external", summary: "SUSE Bug 1227590 for CVE-2024-39330", url: "https://bugzilla.suse.com/1227590", }, { category: "external", summary: "SUSE Bug 1227594 for CVE-2024-39330", url: "https://bugzilla.suse.com/1227594", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2024-39330", }, { cve: "CVE-2024-39614", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-39614", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-39614", url: "https://www.suse.com/security/cve/CVE-2024-39614", }, { category: "external", summary: "SUSE Bug 1227590 for CVE-2024-39614", url: "https://bugzilla.suse.com/1227590", }, { category: "external", summary: "SUSE Bug 1227595 for CVE-2024-39614", url: "https://bugzilla.suse.com/1227595", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python310-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python311-Django4-4.2.14-1.1.x86_64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.aarch64", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.ppc64le", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.s390x", "openSUSE Tumbleweed:python312-Django4-4.2.14-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-07-19T00:00:00Z", details: "important", }, ], title: "CVE-2024-39614", }, ], }
opensuse-su-2024:11205-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python36-Django-3.2.7-2.3 on GA media
Notes
Title of the patch
python36-Django-3.2.7-2.3 on GA media
Description of the patch
These are all security issues fixed in the python36-Django-3.2.7-2.3 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11205
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python36-Django-3.2.7-2.3 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python36-Django-3.2.7-2.3 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-11205", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11205-1.json", }, { category: "self", summary: "SUSE CVE CVE-2015-3982 page", url: "https://www.suse.com/security/cve/CVE-2015-3982/", }, { category: "self", summary: "SUSE CVE CVE-2015-5145 page", url: "https://www.suse.com/security/cve/CVE-2015-5145/", }, { category: "self", summary: "SUSE CVE CVE-2015-5963 page", url: "https://www.suse.com/security/cve/CVE-2015-5963/", }, { category: "self", summary: "SUSE CVE CVE-2016-7401 page", url: "https://www.suse.com/security/cve/CVE-2016-7401/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-16984 page", url: "https://www.suse.com/security/cve/CVE-2018-16984/", }, { category: "self", summary: "SUSE CVE CVE-2018-6188 page", url: "https://www.suse.com/security/cve/CVE-2018-6188/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, { category: "self", summary: "SUSE CVE CVE-2019-11358 page", url: "https://www.suse.com/security/cve/CVE-2019-11358/", }, { category: "self", summary: "SUSE CVE CVE-2019-12308 page", url: "https://www.suse.com/security/cve/CVE-2019-12308/", }, { category: "self", summary: "SUSE CVE CVE-2019-12781 page", url: "https://www.suse.com/security/cve/CVE-2019-12781/", }, { category: "self", summary: "SUSE CVE CVE-2019-14232 page", url: "https://www.suse.com/security/cve/CVE-2019-14232/", }, { category: "self", summary: "SUSE CVE CVE-2019-19118 page", url: "https://www.suse.com/security/cve/CVE-2019-19118/", }, { category: "self", summary: "SUSE CVE CVE-2019-19844 page", url: "https://www.suse.com/security/cve/CVE-2019-19844/", }, { category: "self", summary: "SUSE CVE CVE-2019-3498 page", url: "https://www.suse.com/security/cve/CVE-2019-3498/", }, { category: "self", summary: "SUSE CVE CVE-2019-6975 page", url: "https://www.suse.com/security/cve/CVE-2019-6975/", }, { category: "self", summary: "SUSE CVE CVE-2020-13254 page", url: "https://www.suse.com/security/cve/CVE-2020-13254/", }, { category: "self", summary: "SUSE CVE CVE-2020-13596 page", url: "https://www.suse.com/security/cve/CVE-2020-13596/", }, { category: "self", summary: "SUSE CVE CVE-2020-24583 page", url: "https://www.suse.com/security/cve/CVE-2020-24583/", }, { category: "self", summary: "SUSE CVE CVE-2020-24584 page", url: "https://www.suse.com/security/cve/CVE-2020-24584/", }, { category: "self", summary: "SUSE CVE CVE-2020-7471 page", url: "https://www.suse.com/security/cve/CVE-2020-7471/", }, { category: "self", summary: "SUSE CVE CVE-2020-9402 page", url: "https://www.suse.com/security/cve/CVE-2020-9402/", }, { category: "self", summary: "SUSE CVE CVE-2021-31542 page", url: "https://www.suse.com/security/cve/CVE-2021-31542/", }, { category: "self", summary: "SUSE CVE CVE-2021-32052 page", url: "https://www.suse.com/security/cve/CVE-2021-32052/", }, { category: "self", summary: "SUSE CVE CVE-2021-33203 page", url: "https://www.suse.com/security/cve/CVE-2021-33203/", }, { category: "self", summary: "SUSE CVE CVE-2021-33571 page", url: "https://www.suse.com/security/cve/CVE-2021-33571/", }, { category: "self", summary: "SUSE CVE CVE-2021-35042 page", url: "https://www.suse.com/security/cve/CVE-2021-35042/", }, ], title: "python36-Django-3.2.7-2.3 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:11205-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python36-Django-3.2.7-2.3.aarch64", product: { name: "python36-Django-3.2.7-2.3.aarch64", product_id: "python36-Django-3.2.7-2.3.aarch64", }, }, { category: "product_version", name: "python38-Django-3.2.7-2.3.aarch64", product: { name: "python38-Django-3.2.7-2.3.aarch64", product_id: "python38-Django-3.2.7-2.3.aarch64", }, }, { category: "product_version", name: "python39-Django-3.2.7-2.3.aarch64", product: { name: "python39-Django-3.2.7-2.3.aarch64", product_id: "python39-Django-3.2.7-2.3.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python36-Django-3.2.7-2.3.ppc64le", product: { name: "python36-Django-3.2.7-2.3.ppc64le", product_id: "python36-Django-3.2.7-2.3.ppc64le", }, }, { category: "product_version", name: "python38-Django-3.2.7-2.3.ppc64le", product: { name: "python38-Django-3.2.7-2.3.ppc64le", product_id: "python38-Django-3.2.7-2.3.ppc64le", }, }, { category: "product_version", name: "python39-Django-3.2.7-2.3.ppc64le", product: { name: "python39-Django-3.2.7-2.3.ppc64le", product_id: "python39-Django-3.2.7-2.3.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python36-Django-3.2.7-2.3.s390x", product: { name: "python36-Django-3.2.7-2.3.s390x", product_id: "python36-Django-3.2.7-2.3.s390x", }, }, { category: "product_version", name: "python38-Django-3.2.7-2.3.s390x", product: { name: "python38-Django-3.2.7-2.3.s390x", product_id: "python38-Django-3.2.7-2.3.s390x", }, }, { category: "product_version", name: "python39-Django-3.2.7-2.3.s390x", product: { name: "python39-Django-3.2.7-2.3.s390x", product_id: "python39-Django-3.2.7-2.3.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python36-Django-3.2.7-2.3.x86_64", product: { name: "python36-Django-3.2.7-2.3.x86_64", product_id: "python36-Django-3.2.7-2.3.x86_64", }, }, { category: "product_version", name: "python38-Django-3.2.7-2.3.x86_64", product: { name: "python38-Django-3.2.7-2.3.x86_64", product_id: "python38-Django-3.2.7-2.3.x86_64", }, }, { category: "product_version", name: "python39-Django-3.2.7-2.3.x86_64", product: { name: "python39-Django-3.2.7-2.3.x86_64", product_id: "python39-Django-3.2.7-2.3.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python36-Django-3.2.7-2.3.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", }, product_reference: "python36-Django-3.2.7-2.3.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Django-3.2.7-2.3.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", }, product_reference: "python36-Django-3.2.7-2.3.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Django-3.2.7-2.3.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", }, product_reference: "python36-Django-3.2.7-2.3.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python36-Django-3.2.7-2.3.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", }, product_reference: "python36-Django-3.2.7-2.3.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Django-3.2.7-2.3.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", }, product_reference: "python38-Django-3.2.7-2.3.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Django-3.2.7-2.3.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", }, product_reference: "python38-Django-3.2.7-2.3.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Django-3.2.7-2.3.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", }, product_reference: "python38-Django-3.2.7-2.3.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python38-Django-3.2.7-2.3.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", }, product_reference: "python38-Django-3.2.7-2.3.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Django-3.2.7-2.3.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", }, product_reference: "python39-Django-3.2.7-2.3.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Django-3.2.7-2.3.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", }, product_reference: "python39-Django-3.2.7-2.3.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Django-3.2.7-2.3.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", }, product_reference: "python39-Django-3.2.7-2.3.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python39-Django-3.2.7-2.3.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", }, product_reference: "python39-Django-3.2.7-2.3.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3982", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-3982", }, ], notes: [ { category: "general", text: "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-3982", url: "https://www.suse.com/security/cve/CVE-2015-3982", }, { category: "external", summary: "SUSE Bug 932265 for CVE-2015-3982", url: "https://bugzilla.suse.com/932265", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-3982", }, { cve: "CVE-2015-5145", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5145", }, ], notes: [ { category: "general", text: "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5145", url: "https://www.suse.com/security/cve/CVE-2015-5145", }, { category: "external", summary: "SUSE Bug 937524 for CVE-2015-5145", url: "https://bugzilla.suse.com/937524", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2015-5145", }, { cve: "CVE-2015-5963", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5963", }, ], notes: [ { category: "general", text: "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5963", url: "https://www.suse.com/security/cve/CVE-2015-5963", }, { category: "external", summary: "SUSE Bug 941587 for CVE-2015-5963", url: "https://bugzilla.suse.com/941587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-5963", }, { cve: "CVE-2016-7401", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-7401", }, ], notes: [ { category: "general", text: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-7401", url: "https://www.suse.com/security/cve/CVE-2016-7401", }, { category: "external", summary: "SUSE Bug 1001374 for CVE-2016-7401", url: "https://bugzilla.suse.com/1001374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-7401", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-16984", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16984", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16984", url: "https://www.suse.com/security/cve/CVE-2018-16984", }, { category: "external", summary: "SUSE Bug 1109621 for CVE-2018-16984", url: "https://bugzilla.suse.com/1109621", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-16984", }, { cve: "CVE-2018-6188", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6188", }, ], notes: [ { category: "general", text: "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6188", url: "https://www.suse.com/security/cve/CVE-2018-6188", }, { category: "external", summary: "SUSE Bug 1077714 for CVE-2018-6188", url: "https://bugzilla.suse.com/1077714", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2018-6188", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7537", }, { cve: "CVE-2019-11358", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], notes: [ { category: "general", text: "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-11358", url: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-11358", }, { cve: "CVE-2019-12308", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12308", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12308", url: "https://www.suse.com/security/cve/CVE-2019-12308", }, { category: "external", summary: "SUSE Bug 1136468 for CVE-2019-12308", url: "https://bugzilla.suse.com/1136468", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12308", }, { cve: "CVE-2019-12781", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12781", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12781", url: "https://www.suse.com/security/cve/CVE-2019-12781", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-12781", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-12781", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12781", }, { cve: "CVE-2019-14232", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-14232", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-14232", url: "https://www.suse.com/security/cve/CVE-2019-14232", }, { category: "external", summary: "SUSE Bug 1142880 for CVE-2019-14232", url: "https://bugzilla.suse.com/1142880", }, { category: "external", summary: "SUSE Bug 1215978 for CVE-2019-14232", url: "https://bugzilla.suse.com/1215978", }, { category: "external", summary: "SUSE Bug 1220358 for CVE-2019-14232", url: "https://bugzilla.suse.com/1220358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2019-14232", }, { cve: "CVE-2019-19118", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19118", }, ], notes: [ { category: "general", text: "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19118", url: "https://www.suse.com/security/cve/CVE-2019-19118", }, { category: "external", summary: "SUSE Bug 1157705 for CVE-2019-19118", url: "https://bugzilla.suse.com/1157705", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19118", }, { cve: "CVE-2019-19844", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19844", }, ], notes: [ { category: "general", text: "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19844", url: "https://www.suse.com/security/cve/CVE-2019-19844", }, { category: "external", summary: "SUSE Bug 1159447 for CVE-2019-19844", url: "https://bugzilla.suse.com/1159447", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19844", }, { cve: "CVE-2019-3498", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-3498", }, ], notes: [ { category: "general", text: "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-3498", url: "https://www.suse.com/security/cve/CVE-2019-3498", }, { category: "external", summary: "SUSE Bug 1120932 for CVE-2019-3498", url: "https://bugzilla.suse.com/1120932", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-3498", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2019-3498", }, { cve: "CVE-2019-6975", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-6975", }, ], notes: [ { category: "general", text: "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-6975", url: "https://www.suse.com/security/cve/CVE-2019-6975", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-6975", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-6975", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-6975", }, { cve: "CVE-2020-13254", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13254", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13254", url: "https://www.suse.com/security/cve/CVE-2020-13254", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13254", }, { cve: "CVE-2020-13596", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13596", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13596", url: "https://www.suse.com/security/cve/CVE-2020-13596", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13596", }, { cve: "CVE-2020-24583", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24583", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24583", url: "https://www.suse.com/security/cve/CVE-2020-24583", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24583", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-24583", }, { cve: "CVE-2020-24584", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24584", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24584", url: "https://www.suse.com/security/cve/CVE-2020-24584", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24584", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-24584", }, { cve: "CVE-2020-7471", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-7471", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-7471", url: "https://www.suse.com/security/cve/CVE-2020-7471", }, { category: "external", summary: "SUSE Bug 1161919 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161919", }, { category: "external", summary: "SUSE Bug 1161920 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161920", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-7471", }, { cve: "CVE-2020-9402", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-9402", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-9402", url: "https://www.suse.com/security/cve/CVE-2020-9402", }, { category: "external", summary: "SUSE Bug 1165022 for CVE-2020-9402", url: "https://bugzilla.suse.com/1165022", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-9402", }, { cve: "CVE-2021-31542", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-31542", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-31542", url: "https://www.suse.com/security/cve/CVE-2021-31542", }, { category: "external", summary: "SUSE Bug 1185623 for CVE-2021-31542", url: "https://bugzilla.suse.com/1185623", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-31542", }, { cve: "CVE-2021-32052", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-32052", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-32052", url: "https://www.suse.com/security/cve/CVE-2021-32052", }, { category: "external", summary: "SUSE Bug 1185713 for CVE-2021-32052", url: "https://bugzilla.suse.com/1185713", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-32052", }, { cve: "CVE-2021-33203", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33203", }, ], notes: [ { category: "general", text: "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33203", url: "https://www.suse.com/security/cve/CVE-2021-33203", }, { category: "external", summary: "SUSE Bug 1186608 for CVE-2021-33203", url: "https://bugzilla.suse.com/1186608", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-33203", }, { cve: "CVE-2021-33571", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33571", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33571", url: "https://www.suse.com/security/cve/CVE-2021-33571", }, { category: "external", summary: "SUSE Bug 1186611 for CVE-2021-33571", url: "https://bugzilla.suse.com/1186611", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-33571", }, { cve: "CVE-2021-35042", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-35042", }, ], notes: [ { category: "general", text: "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-35042", url: "https://www.suse.com/security/cve/CVE-2021-35042", }, { category: "external", summary: "SUSE Bug 1187785 for CVE-2021-35042", url: "https://bugzilla.suse.com/1187785", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python36-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python38-Django-3.2.7-2.3.x86_64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.aarch64", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.ppc64le", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.s390x", "openSUSE Tumbleweed:python39-Django-3.2.7-2.3.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2021-35042", }, ], }
opensuse-su-2023:0077-1
Vulnerability from csaf_opensuse
Published
2023-03-20 15:09
Modified
2023-03-20 15:09
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
- CVE-2023-24580: Prevent DOS in file uploads. (boo#1208082)
update to 1.11.15
* CVE-2018-14574: Fixed Open redirect possibility in CommonMiddleware (boo#1102680)
* Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+
* Fixed a regression in Django 1.10 that could result in large memory usage
when making edits using ModelAdmin.list_editable
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list()
after combining an annotated and unannotated queryset with union(),
difference(), or intersection() crashed due to mismatching columns
* Fixed crashes in django.contrib.admindocs when a view is a callable object,
such as django.contrib.syndication.views.Feed
* Fixed a regression in Django 1.11.8 where altering a field with a unique
constraint may drop and rebuild more foreign keys than necessary
* Fixed a regression in Django 1.11.8 where combining two annotated values_list()
querysets with union(), difference(), or intersection() crashed due to mismatching columns
* Fixed a regression in Django 1.11 where an empty choice could be
initially selected for the SelectMultiple and CheckboxSelectMultiple widgets
- Update to 1.11.11
* Fixes CVE-2018-7536, CVE-2018-7537
- Update to 1.11.10 LTS
* Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233,
CVE-2017-12794
- Change Requires: python-Pillow to python-imaging for compatibility
with SLE-12 which provides PIL instead of Pillow.
- Update to 1.9.9
Bugfixes
* Fixed invalid HTML in template postmortem on the debug page
(#26938).
* Fixed some GIS database function crashes on MySQL 5.7 (#26657).
- Update to 1.9.8
Fix XSS in admin’s add/change related popup (boo#988420)
Unsafe usage of JavaScript’s Element.innerHTML could result in XSS
in the admin’s add/change related popup. Element.textContent is now
used to prevent execution of the data.
The debug view also used innerHTML. Although a security issue wasn’t
identified there, out of an abundance of caution it’s also updated
to use textContent.
Bugfixes
* Fixed missing varchar/text_pattern_ops index on CharField and
TextField respectively when using AddField on PostgreSQL (#26889).
* Fixed makemessages crash on Python 2 with non-ASCII file names
(#26897).
- Update to 1.9.7
Bugfixes
* Removed the need for the request context processor on the admin
login page to fix a regression in 1.9 (#26558).
* Fixed translation of password validators’ help_text in forms
(#26544).
* Fixed a regression causing the cached template loader to crash
when using lazy template names (#26603).
* Fixed on_commit callbacks execution order when callbacks make
transactions (#26627).
* Fixed HStoreField to raise a ValidationError instead of crashing
on non-dictionary JSON input (#26672).
* Fixed dbshell crash on PostgreSQL with an empty database name
(#26698).
* Fixed a regression in queries on a OneToOneField that has to_field
and primary_key=True (#26667).
- Update to 1.9.6
Bugfixes
* Added support for relative path redirects to the test client and
to SimpleTestCase.assertRedirects() because Django 1.9 no longer
converts redirects to absolute URIs (#26428).
* Fixed TimeField microseconds round-tripping on MySQL and SQLite
(#26498).
* Prevented makemigrations from generating infinite migrations for a
model field that references a functools.partial (#26475).
* Fixed a regression where SessionBase.pop() returned None rather
than raising a KeyError for nonexistent values (#26520).
* Fixed a regression causing the cached template loader to crash
when using template names starting with a dash (#26536).
* Restored conversion of an empty string to null when saving values
of GenericIPAddressField on SQLite and MySQL (#26557).
* Fixed a makemessages regression where temporary .py extensions
were leaked in source file paths (#26341).
- Update to 1.9.5
- Update to 1.9.2
Security issue
* User with 'change' but not 'add' permission can create objects for
ModelAdmin's with save_as=True
Backwards incompatible change
* .py-tpl files rewritten in project/app templates
Bugfixes
* Fixed a regression in ConditionalGetMiddleware causing
If-None-Match checks to always return HTTP 200 (#26024).
* Fixed a regression that caused the 'user-tools' items to display
on the admin's logout page (#26035).
* Fixed a crash in the translations system when the current language
has no translations (#26046).
* Fixed a regression that caused the incorrect day to be selected
when opening the admin calendar widget for timezones from GMT+0100
to GMT+1200 (#24980).
* Fixed a regression in the admin's edit related model popup that
caused an escaped value to be displayed in the select dropdown of
the parent window (#25997).
* Fixed a regression in 1.8.8 causing incorrect index handling in
migrations on PostgreSQL when adding db_index=True or unique=True
to a CharField or TextField that already had the other specified,
or when removing one of them from a field that had both, or when
adding unique=True to a field already listed in unique_together
(#26034).
* Fixed a regression where defining a relation on an abstract
model's field using a string model name without an app_label no
longer resolved that reference to the abstract model's app if
using that model in another application (#25858).
* Fixed a crash when destroying an existing test database on MySQL
or PostgreSQL (#26096).
* Fixed CSRF cookie check on POST requests when
USE_X_FORWARDED_PORT=True (#26094).
* Fixed a QuerySet.order_by() crash when ordering by a relational
field of a ManyToManyField through model (#26092).
* Fixed a regression that caused an exception when making database
queries on SQLite with more than 2000 parameters when DEBUG is
True on distributions that increase the SQLITE_MAX_VARIABLE_NUMBER
compile-time limit to over 2000, such as Debian (#26063).
* Fixed a crash when using a reverse OneToOneField in
ModelAdmin.readonly_fields (#26060).
* Fixed a crash when calling the migrate command in a test case with
the available_apps attribute pointing to an application with
migrations disabled using the MIGRATION_MODULES setting (#26135).
* Restored the ability for testing and debugging tools to determine
the template from which a node came from, even during template
inheritance or inclusion. Prior to Django 1.9, debugging tools
could access the template origin from the node via
Node.token.source[0]. This was an undocumented, private API. The
origin is now available directly on each node using the
Node.origin attribute (#25848).
* Fixed a regression in Django 1.8.5 that broke copying a
SimpleLazyObject with copy.copy() (#26122).
* Always included geometry_field in the GeoJSON serializer output
regardless of the fields parameter (#26138).
* Fixed the contrib.gis map widgets when using
USE_THOUSAND_SEPARATOR=True (#20415).
* Made invalid forms display the initial of values of their disabled
fields (#26129).
- Update to 1.9.1
Bugfixes
* Fixed BaseCache.get_or_set() with the DummyCache backend (#25840).
* Fixed a regression in FormMixin causing forms to be validated
twice (#25548, #26018).
* Fixed a system check crash with nested ArrayFields (#25867).
* Fixed a state bug when migrating a SeparateDatabaseAndState
operation backwards (#25896).
* Fixed a regression in CommonMiddleware causing If-None-Match
checks to always return HTTP 200 (#25900).
* Fixed missing varchar/text_pattern_ops index on CharField and
TextField respectively when using AlterField on PostgreSQL
(#25412).
* Fixed admin’s delete confirmation page’s summary counts of related
objects (#25883).
* Added from __future__ import unicode_literals to the default
apps.py created by startapp on Python 2 (#25909). Add this line to
your own apps.py files created using Django 1.9 if you want your
migrations to work on both Python 2 and Python 3.
* Prevented QuerySet.delete() from crashing on MySQL when querying
across relations.
* Fixed evaluation of zero-length slices of QuerySet.values()
(#25894).
* ...
* https://docs.djangoproject.com/en/1.9/releases/1.9.1/
- update to 1.9
* https://docs.djangoproject.com/en/1.9/releases/1.9/
* Performing actions after a transaction commit
* Password validation
* Permission mixins for class-based views
* New styling for 'contrib.admin'
* Running tests in parallel
- update to 1.8.6:
* https://docs.djangoproject.com/en/1.8/releases/1.8.5/
* https://docs.djangoproject.com/en/1.8/releases/1.8.6/
- add missing Requires for python-setuptools (boo#952198)
/usr/bin/django-admin needs the pkg_resources framework from
python-setuptools to run properly.
- update to 1.8.4 (CVE-2015-5963):
* https://docs.djangoproject.com/en/1.8/releases/1.8.4/
- add keyring and verify source signature
- update to 1.8.3:
* https://docs.djangoproject.com/en/1.8/releases/1.8.3/
Various bugfixes/security fixes (CVE-2015-5145, boo#937524)
- update to 1.8.2 (CVE-2015-3982):
* https://docs.djangoproject.com/en/1.8/releases/1.8.2/
* https://docs.djangoproject.com/en/1.8/releases/1.8.1/
- Update to Django 1.8
* 'Long-Term Support' (LTS) release
New features:
* Model._meta API
* Multiple template engines
* Security enhancements
* New PostgreSQL specific functionality
* New data types
* Query Expressions, Conditional Expressions, and Database Functions
* TestCase data setup
Backwards incompatible changes:
* Related object operations are run in a transaction
* Assigning unsaved objects to relations raises an error
* Management commands that only accept positional arguments
* Custom test management command arguments through test runner
* Model check ensures auto-generated column names are within limits
specified by database
* Query relation lookups now check object types
* select_related() now checks given fields
* Default EmailField.max_length increased to 254
* (DROP) Support for PostgreSQL versions older than 9.0
* (DROP) Support for MySQL versions older than 5.5
* (DROP) Support for Oracle versions older than 11.1
* Specific privileges used instead of roles for tests on Oracle
* ...
- Update to Django 1.7.7:
Security issues:
* Denial-of-service possibility with strip_tags()
* Mitigated possible XSS attack via user-supplied redirect URLs
Bugfixes:
* Fixed renaming of classes in migrations where renaming a subclass would
cause incorrect state to be recorded for objects that referenced the
superclass (#24354).
* Stopped writing migration files in dry run mode when merging migration
conflicts. When makemigrations --merge is called with verbosity=3 the
migration file is written to stdout (:ticket: 24427).
- Update to Djano 1.7.6:
Bugfixes
* Mitigated an XSS attack via properties in
'ModelAdmin.readonly_fields'
* Fixed crash when coercing 'ManyRelatedManager' to a string
(#24352).
* Fixed a bug that prevented migrations from adding a foreign key
constraint when converting an existing field to a foreign key
(#24447).
- Update to Django 1.7.5:
Bugfixes
* Reverted a fix that prevented a migration crash when unapplying
contrib.contenttypes's or contrib.auth's first migration (#24075)
due to severe impact on the test performance (#24251) and problems
in multi-database setups (#24298).
* Fixed a regression that prevented custom fields inheriting from
ManyToManyField from being recognized in migrations (#24236).
* Fixed crash in contrib.sites migrations when a default database
isn't used (#24332).
* Added the ability to set the isolation level on PostgreSQL with
psycopg2 >= 2.4.2 (#24318). It was advertised as a new feature in
Django 1.6 but it didn't work in practice.
* Formats for the Azerbaijani locale (az) have been added.
- Update to Django 1.7.4:
Bugfixes
* Fixed a migration crash when unapplying ``contrib.contenttypes``’s
or ``contrib.auth``’s first migration (:ticket:`24075`).
* Made the migration's ``RenameModel`` operation rename
``ManyToManyField`` tables (:ticket:`24135`).
* Fixed a migration crash on MySQL when migrating from a
``OneToOneField`` to a ``ForeignKey`` (:ticket:`24163`).
* Prevented the ``static.serve`` view from producing
``ResourceWarning``\s in certain circumstances (security fix
regression, :ticket:`24193`).
* Fixed schema check for ManyToManyField to look for internal type
instead of checking class instance, so you can write custom
m2m-like fields with the same behavior. (:ticket:`24104`).
- Update to Django 1.7.3:
Security fixes:
* WSGI header spoofing via underscore/dash conflation.
* Mitigated possible XSS attack via user-supplied redirect URLs.
* Denial-of-service attack against django.views.static.serve.
* Database denial-of-service with ModelMultipleChoiceField.
Bug fixes:
* The default iteration count for the PBKDF2 password hasher has been
increased by 25%. This part of the normal major release process was
inadvertently omitted in 1.7. This backwards compatible change will not
affect users who have subclassed
django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default
value.
* Fixed a crash in the CSRF middleware when handling non-ASCII referer
header (#23815).
* Fixed a crash in the django.contrib.auth.redirect_to_login view when
passing a reverse_lazy() result on Python 3 (#24097).
* Added correct formats for Greek (el) (#23967).
* Fixed a migration crash when unapplying a migration where multiple
operations interact with the same model (#24110).
- South has been merged in main Django; provide and obsolete it
- Update to Django 1.7.2:
* Fixed migration’s renaming of auto-created many-to-many tables
when changing Meta.db_table (#23630).
* Fixed a migration crash when adding an explicit id field to a
model on SQLite (#23702).
* Added a warning for duplicate models when a module is
reloaded. Previously a RuntimeError was raised every time two
models clashed in the app registry. (#23621).
* Prevented flush from loading initial data for migrated apps
(#23699).
* Fixed a makemessages regression in 1.7.1 when STATIC_ROOT has the
default None value (#23717).
* Added GeoDjango compatibility with mysqlclient database driver.
* Fixed MySQL 5.6+ crash with GeometryFields in migrations (#23719).
* Fixed a migration crash when removing a field that is referenced
in AlterIndexTogether or AlterUniqueTogether (#23614).
* Updated the first day of the week in the Ukrainian locale to
Monday.
* Added support for transactional spatial metadata initialization on
SpatiaLite 4.1+ (#23152).
* Fixed a migration crash that prevented changing a nullable field
with a default to non-nullable with the same default (#23738).
* Fixed a migration crash when adding GeometryFields with blank=True
on PostGIS (#23731).
* Allowed usage of DateTimeField() as Transform.output_field
(#23420).
* Fixed a migration serializing bug involving float('nan') and
float('inf') (#23770).
* Fixed a regression where custom form fields having a queryset
attribute but no limit_choices_to could not be used in a ModelForm
(#23795).
* Fixed a custom field type validation error with MySQL backend when
db_type returned None (#23761).
* Fixed a migration crash when a field is renamed that is part of an
index_together (#23859).
* Fixed squashmigrations to respect the --no-optimize parameter
(#23799).
* Made RenameModel reversible (#22248)
* Avoided unnecessary rollbacks of migrations from other apps when
migrating backwards (#23410).
* Fixed a rare query error when using deeply nested subqueries
(#23605).
* Fixed a crash in migrations when deleting a field that is part of
a index/unique_together constraint (#23794).
* Fixed django.core.files.File.__repr__() when the file’s name
contains Unicode characters (#23888).
* Added missing context to the admin’s delete_selected view that
prevented custom site header, etc. from appearing (#23898).
* Fixed a regression with dynamically generated inlines and allowed
field references in the admin (#23754).
* Fixed an infinite loop bug for certain cyclic migration
dependencies, and made the error message for cyclic dependencies
much more helpful.
* Added missing index_together handling for SQLite (#23880).
* Fixed a crash when RunSQL SQL content was collected by the schema
editor, typically when using sqlmigrate (#23909).
* Fixed a regression in contrib.admin add/change views which caused
some ModelAdmin methods to receive the incorrect obj value
(#23934).
* Fixed runserver crash when socket error message contained Unicode
characters (#23946).
* Fixed serialization of type when adding a deconstruct() method
(#23950).
* Prevented the SessionAuthenticationMiddleware from setting a
'Vary: Cookie' header on all responses (#23939).
* Fixed a crash when adding blank=True to TextField() on MySQL
(#23920).
* Fixed index creation by the migration infrastructure, particularly
when dealing with PostgreSQL specific {text|varchar}_pattern_ops
indexes (#23954).
* Fixed bug in makemigrations that created broken migration files
when dealing with multiple table inheritance and inheriting from
more than one model (#23956).
* Fixed a crash when a MultiValueField has invalid data (#23674).
* Fixed a crash in the admin when using “Save as new” and also
deleting a related inline (#23857).
* Always converted related_name to text (unicode), since that is
required on Python 3 for interpolation. Removed conversion of
related_name to text in migration deconstruction (#23455 and
#23982).
* Enlarged the sizes of tablespaces which are created by default for
testing on Oracle (the main tablespace was increased from 200M to
300M and the temporary tablespace from 100M to 150M). This was
required to accommodate growth in Django’s own test suite
(#23969).
* Fixed timesince filter translations in Korean (#23989).
* Fixed the SQLite SchemaEditor to properly add defaults in the
absence of a user specified default. For example, a CharField with
blank=True didn’t set existing rows to an empty string which
resulted in a crash when adding the NOT NULL constraint (#23987).
* makemigrations no longer prompts for a default value when adding
TextField() or CharField() without a default (#23405).
* Fixed a migration crash when adding order_with_respect_to to a
table with existing rows (#23983).
* Restored the pre_migrate signal if all apps have migrations
(#23975).
* Made admin system checks run for custom AdminSites (#23497).
* Ensured the app registry is fully populated when unpickling
models. When an external script (like a queueing infrastructure)
reloads pickled models, it could crash with an AppRegistryNotReady
exception (#24007).
* Added quoting to field indexes in the SQL generated by migrations
to prevent a crash when the index name requires it (##24015).
* Added datetime.time support to migrations questioner (#23998).
* Fixed admindocs crash on apps installed as eggs (#23525).
* Changed migrations autodetector to generate an AlterModelOptions
operation instead of DeleteModel and CreateModel operations when
changing Meta.managed. This prevents data loss when changing
managed from False to True and vice versa (#24037).
* Enabled the sqlsequencereset command on apps with migrations
(#24054).
* Added tablespace SQL to apps with migrations (#24051).
* Corrected contrib.sites default site creation in a multiple
database setup (#24000).
* Restored support for objects that aren’t str or bytes in
mark_for_escaping() on Python 3.
* Supported strings escaped by third-party libraries with the
__html__ convention in the template engine (#23831).
* Prevented extraneous DROP DEFAULT SQL in migrations (#23581).
* Restored the ability to use more than five levels of subqueries
(#23758).
* Fixed crash when ValidationError is initialized with a
ValidationError that is initialized with a dictionary (#24008).
* Prevented a crash on apps without migrations when running migrate
--list (#23366).
- Update to Django 1.7.1
* Allowed related many-to-many fields to be referenced in the admin
(#23604).
* Added a more helpful error message if you try to migrate an app
without first creating the contenttypes table (#22411).
* Modified migrations dependency algorithm to avoid possible
infinite recursion.
* Fixed a UnicodeDecodeError when the flush error message contained
Unicode characters (#22882).
* Reinstated missing CHECK SQL clauses which were omitted on some
backends when not using migrations (#23416).
* Fixed serialization of type objects in migrations (#22951).
* Allowed inline and hidden references to admin fields (#23431).
* The @deconstructible decorator now fails with a ValueError if the
decorated object cannot automatically be imported (#23418).
* Fixed a typo in an inlineformset_factory() error message that
caused a crash (#23451).
* Restored the ability to use ABSOLUTE_URL_OVERRIDES with the
'auth.User' model (#11775). As a side effect, the setting now adds
a get_absolute_url() method to any model that appears in
ABSOLUTE_URL_OVERRIDES but doesn’t define get_absolute_url().
* Avoided masking some ImportError exceptions during application
loading (#22920).
* Empty index_together or unique_together model options no longer
results in infinite migrations (#23452).
* Fixed crash in contrib.sitemaps if lastmod returned a date rather
than a datetime (#23403).
* Allowed migrations to work with app_labels that have the same last
part (e.g. django.contrib.auth and vendor.auth) (#23483).
* Restored the ability to deepcopy F objects (#23492).
* Formats for Welsh (cy) and several Chinese locales (zh_CN,
zh_Hans, zh_Hant and zh_TW) have been added. Formats for
Macedonian have been fixed (trailing dot removed, #23532).
* Added quoting of constraint names in the SQL generated by
migrations to prevent crash with uppercase characters in the name
(#23065).
* Fixed renaming of models with a self-referential many-to-many
field (ManyToManyField('self')) (#23503).
* Added the get_extra(), get_max_num(), and get_min_num() hooks to
GenericInlineModelAdmin (#23539).
* Made migrations.RunSQL no longer require percent sign
escaping. This is now consistent with cursor.execute() (#23426).
* Made the SERIALIZE entry in the TEST dictionary usable (#23421).
* Fixed bug in migrations that prevented foreign key constraints to
unmanaged models with a custom primary key (#23415).
* Added SchemaEditor for MySQL GIS backend so that spatial indexes
will be created for apps with migrations (#23538).
* Added SchemaEditor for Oracle GIS backend so that spatial metadata
and indexes will be created for apps with migrations (#23537).
* Coerced the related_name model field option to unicode during
migration generation to generate migrations that work with both
Python 2 and 3 (#23455).
* Fixed MigrationWriter to handle builtin types without imports
(#23560).
* Fixed deepcopy on ErrorList (#23594).
* Made the admindocs view to browse view details check if the view
specified in the URL exists in the URLconf. Previously it was
possible to import arbitrary packages from the Python path. This
was not considered a security issue because admindocs is only
accessible to staff users (#23601).
* Fixed UnicodeDecodeError crash in AdminEmailHandler with non-ASCII
characters in the request (#23593).
* Fixed missing get_or_create and update_or_create on related
managers causing IntegrityError (#23611).
* Made urlsafe_base64_decode() return the proper type (byte string)
on Python 3 (#23333).
* makemigrations can now serialize timezone-aware values (#23365).
* Added a prompt to the migrations questioner when removing the null
constraint from a field to prevent an IntegrityError on existing
NULL rows (#23609).
* Fixed generic relations in ModelAdmin.list_filter (#23616).
* Restored RFC compliance for the SMTP backend on Python 3 (#23063).
* Fixed a crash while parsing cookies containing invalid content
(#23638).
* The system check framework now raises error models.E020 when the
class method Model.check() is unreachable (#23615).
* Made the Oracle test database creation drop the test user in the
event of an unclean exit of a previous test run (#23649).
* Fixed makemigrations to detect changes to Meta.db_table (#23629).
* Fixed a regression when feeding the Django test client with an
empty data string (#21740).
* Fixed a regression in makemessages where static files were
unexpectedly ignored (#23583).
- Update to Django 1.7
* A new built-in database migration system. Notes on upgrading from
South (a popular third*party application providing migration
functionality) are also available.
* A refactored concept of Django applications. Django applications
are no longer tied to the existence of a models files, and can now
specify both configuration data and code to be executed as Django
starts up.
* Improvements to the model Field API to support migrations and, in
the future, to enable easy addition of composite-key support to
Django's ORM.
* Improvements for custom Manager and QuerySet classes, allowing
reverse relationship traversal to specify the Manager to use, and
creation of a Manager from a custom QuerySet class.
* An extensible system check framework which can assist developers
in detecting and diagnosing errors.
Please refer to the release notes for all details and migration
instructions:
https://docs.djangoproject.com/en/1.7/releases/1.7/
- Added python-setuptools as a BuildRequires.
- Fixed Source URL from Django Project site.
- Reordered sources.
- Fixed deduplication to avoid wrong mtimes in pyc files.
- Rename rpmlintrc to %{name}-rpmlintrc.
Follow the packaging guidelines.
- Update to version 1.6.5, sercurity and important changes:
+ Unexpected code execution using reverse()
+ Caching of anonymous pages could reveal CSRF token
+ MySQL typecasting
+ select_for_update() requires a transaction
+ Issue: Caches may incorrectly be allowed to store and serve private data
+ Issue: Malformed redirect URLs from user input not correctly validated
- Fix update-alternatives
- Update to version 1.6.2:
+ Prevented the base geometry object of a prepared geometry to be garbage
collected, which could lead to crash Django (#21662).
+ Fixed a crash when executing the changepassword command when the user
object representation contained non-ASCII characters (#21627).
+ The collectstatic command will raise an error rather than default to
using the current working directory if STATIC_ROOT is not set. Combined
with the --clear option, the previous behavior could wipe anything
below the current working directory (#21581).
+ Fixed mail encoding on Python 3.3.3+ (#21093).
+ Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False,
the connection wasn’t in autocommit mode but Django pretended it was.
+ Fixed a regression in multiple-table inheritance exclude() queries (#21787).
+ Added missing items to django.utils.timezone.__all__ (#21880).
+ Fixed a field misalignment issue with select_related() and model inheritance (#21413).
+ Fixed join promotion for negated AND conditions (#21748).
+ Oracle database introspection now works with boolean and float fields (#19884).
+ Fixed an issue where lazy objects weren’t actually marked as safe when
passed through mark_safe() and could end up being double-escaped (#21882).
- Update to version 1.6.1:
- Most bug fixes are minor; you can find a complete list in the Django 1.6.1
release notes.
- Update-alternatives also for bash-completion
- Only ghost /etc/alternatives on 12.3 or newer
- Require python-Pillow for image-related functionality
- Package was renamed from python-django
- Drop Django-1.2-completion-only-for-bash.patch: Useless
- Update to version 1.6:
- Please read the release notes
https://docs.djangoproject.com/en/1.6/releases/1.6
- Removed Patch2 as it is no needed anymore:
Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch
- Update to version 1.5.4:
+ Fixed denial-of-service via large passwords
- Changes from version 1.5.3:
+ Fixed directory traversal with ssi template tag
- Update to 1.5.2:
- Security release, please check release notes for details:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
- Update to 1.5.1:
- Memory leak fix, please read release announcement at
https://www.djangoproject.com/weblog/2013/mar/28/django-151.
- Update to 1.5:
- Please read the release notes
https://docs.djangoproject.com/en/1.5/releases/1.5
- Update to 1.4.3:
- Security release:
- Host header poisoning
- Redirect poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/dec/10/security
- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin
- Update to 1.4.2:
- Security release:
- Host header poisoning
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/oct/17/security
- Update to 1.4.1:
- Security release:
- Cross-site scripting in authentication views
- Denial-of-service in image validation
- Denial-of-service via get_image_dimensions()
- Please check release notes for details:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued
- Add patch to support CSRF_COOKIE_HTTPONLY config
- Update to 1.4:
- Please read the release notes
https://docs.djangoproject.com/en/dev/releases/1.4
- Removed Patch2, it was merged on upstream,
- Set license to SDPX style (BSD-3-Clause)
- Package AUTHORS, LICENE and README files
- No CFLAGS for noarch package
- Drop runtime dependency on gettext-tools
- Update to 1.3.1 to fix security issues, please read
https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.
- Fix build on SLES_9.
- Update to 1.3 final;
- Refresh patch empty-ip-2.diff.
- Update to 1.3-rc1;
- Regenerated spec file with py2pack;
- No more need to fix wrong line endings;
- Refresh patch empty-ip-2.diff with -p0.
- Spec file cleanup:
* Removed empty lines, package authors from description
* Cleanup duplicates
* Corrected wrong file endings
* Added zero-length rpmlint filter
- Added AUTHORS, LICENSE and doc files
- Update to 1.2.5:
- This is a security update that fix:
- Flaw in CSRF handling;
- Potential XSS in file field rendering.
- Update to 1.2.4:
- Information leakage in Django administrative interface;
- Denial-of-service attack in password-reset mechanism.
- This is a mandatory security update.
- Update to 1.2.3:
- The patch applied for the security issue covered in Django
1.2.2 caused issues with non-ASCII responses using CSRF
tokens. This has been remedied;
- The patch also caused issues with some forms, most notably
the user-editing forms in the Django administrative interface.
This has been remedied.
- The packaging manifest did not contain the full list of
required files. This has been remedied.
- Update to 1.2.2.
- This is a ciritical security update fixing a default XSS bug!
- Added patch to fix upstream bug 5622: Empty ipaddress raises an error
- Update to 1.2.1.
- Update to 1.2.
- Update to 1.2-rc-1.
- Spec file cleaned with spec-cleaner;
- Minor manual adjusts on spec file.
- Moved autocomplete file path from /etc/profile.d to
/etc/bash_completion.d. Then it works with konsole too.
- Update to 1.2-beta-1;
- Using -q option on prep section of spec file;
- Using INSTALLED_FILES instead of declaring files;
- Removed dummy changelog section of spec file;
- Update completion bash patch.
- Update to 1.1.1 due to security issue described at
http://www.djangoproject.com/weblog/2009/oct/09/security/
- Removed old tarball file (Django-1.1.tar.bz2).
- Fix python version check.
- Don't require python-sqlite2 for python >= 2.6.
- Build as noarch on factory.
- don't run bash completion on shells other than bash. Avoiding
error messages produced at login when using other shells.
- Added bash auto-complete to openSUSE.
- update to version 1.1
- add python-django-rpmlintrc to quiet rpmlint complaints about -lang
- add python-xml to the Requires (./manage.py syncdb crashes
otherwise)
- update to version 1.0
- Fix build on SLES9
- update to version 1.0 final
- update to version 0.96.2
- The way simplejson is included in this package is not useful to other
packages. Removed from provides
- verion 0.96.1 fixes D.o.S attack in the i18n module
- update to version 0.96
see http://www.djangoproject.com/documentation/release_notes_0.96 for details
- this package provides python-simplejson too.
Patchnames
openSUSE-2023-77
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-Django", title: "Title of the patch", }, { category: "description", text: "This update for python-Django fixes the following issues:\n\n\n- CVE-2023-24580: Prevent DOS in file uploads. (boo#1208082)\n\nupdate to 1.11.15\n\n * CVE-2018-14574: Fixed Open redirect possibility in CommonMiddleware (boo#1102680)\n * Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+\n * Fixed a regression in Django 1.10 that could result in large memory usage\n when making edits using ModelAdmin.list_editable\n * Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list()\n after combining an annotated and unannotated queryset with union(), \n difference(), or intersection() crashed due to mismatching columns\n * Fixed crashes in django.contrib.admindocs when a view is a callable object,\n such as django.contrib.syndication.views.Feed\n * Fixed a regression in Django 1.11.8 where altering a field with a unique\n constraint may drop and rebuild more foreign keys than necessary\n * Fixed a regression in Django 1.11.8 where combining two annotated values_list()\n querysets with union(), difference(), or intersection() crashed due to mismatching columns \n * Fixed a regression in Django 1.11 where an empty choice could be\n initially selected for the SelectMultiple and CheckboxSelectMultiple widgets\n\n- Update to 1.11.11\n\n * Fixes CVE-2018-7536, CVE-2018-7537\n\n- Update to 1.11.10 LTS\n\n * Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233,\n CVE-2017-12794\n\n- Change Requires: python-Pillow to python-imaging for compatibility\n with SLE-12 which provides PIL instead of Pillow. \n\n- Update to 1.9.9\n\n Bugfixes\n * Fixed invalid HTML in template postmortem on the debug page\n (#26938).\n * Fixed some GIS database function crashes on MySQL 5.7 (#26657).\n- Update to 1.9.8\n Fix XSS in admin’s add/change related popup (boo#988420)\n Unsafe usage of JavaScript’s Element.innerHTML could result in XSS\n in the admin’s add/change related popup. Element.textContent is now\n used to prevent execution of the data.\n The debug view also used innerHTML. Although a security issue wasn’t\n identified there, out of an abundance of caution it’s also updated\n to use textContent.\n Bugfixes\n * Fixed missing varchar/text_pattern_ops index on CharField and\n TextField respectively when using AddField on PostgreSQL (#26889).\n * Fixed makemessages crash on Python 2 with non-ASCII file names\n (#26897).\n- Update to 1.9.7\n Bugfixes\n * Removed the need for the request context processor on the admin\n login page to fix a regression in 1.9 (#26558).\n * Fixed translation of password validators’ help_text in forms\n (#26544).\n * Fixed a regression causing the cached template loader to crash\n when using lazy template names (#26603).\n * Fixed on_commit callbacks execution order when callbacks make\n transactions (#26627).\n * Fixed HStoreField to raise a ValidationError instead of crashing\n on non-dictionary JSON input (#26672).\n * Fixed dbshell crash on PostgreSQL with an empty database name\n (#26698).\n * Fixed a regression in queries on a OneToOneField that has to_field\n and primary_key=True (#26667).\n\n- Update to 1.9.6\n Bugfixes\n * Added support for relative path redirects to the test client and\n to SimpleTestCase.assertRedirects() because Django 1.9 no longer\n converts redirects to absolute URIs (#26428). \n * Fixed TimeField microseconds round-tripping on MySQL and SQLite\n (#26498).\n * Prevented makemigrations from generating infinite migrations for a\n model field that references a functools.partial (#26475).\n * Fixed a regression where SessionBase.pop() returned None rather\n than raising a KeyError for nonexistent values (#26520).\n * Fixed a regression causing the cached template loader to crash\n when using template names starting with a dash (#26536).\n * Restored conversion of an empty string to null when saving values\n of GenericIPAddressField on SQLite and MySQL (#26557).\n * Fixed a makemessages regression where temporary .py extensions\n were leaked in source file paths (#26341).\n \n\n- Update to 1.9.5\n\n- Update to 1.9.2\n Security issue\n * User with 'change' but not 'add' permission can create objects for\n ModelAdmin's with save_as=True\n Backwards incompatible change\n * .py-tpl files rewritten in project/app templates\n Bugfixes\n * Fixed a regression in ConditionalGetMiddleware causing\n If-None-Match checks to always return HTTP 200 (#26024).\n * Fixed a regression that caused the 'user-tools' items to display\n on the admin's logout page (#26035).\n * Fixed a crash in the translations system when the current language\n has no translations (#26046).\n * Fixed a regression that caused the incorrect day to be selected\n when opening the admin calendar widget for timezones from GMT+0100\n to GMT+1200 (#24980).\n * Fixed a regression in the admin's edit related model popup that\n caused an escaped value to be displayed in the select dropdown of\n the parent window (#25997).\n * Fixed a regression in 1.8.8 causing incorrect index handling in\n migrations on PostgreSQL when adding db_index=True or unique=True\n to a CharField or TextField that already had the other specified,\n or when removing one of them from a field that had both, or when\n adding unique=True to a field already listed in unique_together\n (#26034).\n * Fixed a regression where defining a relation on an abstract\n model's field using a string model name without an app_label no\n longer resolved that reference to the abstract model's app if\n using that model in another application (#25858).\n * Fixed a crash when destroying an existing test database on MySQL\n or PostgreSQL (#26096).\n * Fixed CSRF cookie check on POST requests when\n USE_X_FORWARDED_PORT=True (#26094).\n * Fixed a QuerySet.order_by() crash when ordering by a relational\n field of a ManyToManyField through model (#26092).\n * Fixed a regression that caused an exception when making database\n queries on SQLite with more than 2000 parameters when DEBUG is\n True on distributions that increase the SQLITE_MAX_VARIABLE_NUMBER\n compile-time limit to over 2000, such as Debian (#26063).\n * Fixed a crash when using a reverse OneToOneField in\n ModelAdmin.readonly_fields (#26060).\n * Fixed a crash when calling the migrate command in a test case with\n the available_apps attribute pointing to an application with\n migrations disabled using the MIGRATION_MODULES setting (#26135).\n * Restored the ability for testing and debugging tools to determine\n the template from which a node came from, even during template\n inheritance or inclusion. Prior to Django 1.9, debugging tools\n could access the template origin from the node via\n Node.token.source[0]. This was an undocumented, private API. The\n origin is now available directly on each node using the\n Node.origin attribute (#25848).\n * Fixed a regression in Django 1.8.5 that broke copying a\n SimpleLazyObject with copy.copy() (#26122).\n * Always included geometry_field in the GeoJSON serializer output\n regardless of the fields parameter (#26138).\n * Fixed the contrib.gis map widgets when using\n USE_THOUSAND_SEPARATOR=True (#20415).\n * Made invalid forms display the initial of values of their disabled\n fields (#26129).\n\n- Update to 1.9.1\n Bugfixes\n * Fixed BaseCache.get_or_set() with the DummyCache backend (#25840).\n * Fixed a regression in FormMixin causing forms to be validated\n twice (#25548, #26018).\n * Fixed a system check crash with nested ArrayFields (#25867).\n * Fixed a state bug when migrating a SeparateDatabaseAndState\n operation backwards (#25896).\n * Fixed a regression in CommonMiddleware causing If-None-Match\n checks to always return HTTP 200 (#25900).\n * Fixed missing varchar/text_pattern_ops index on CharField and\n TextField respectively when using AlterField on PostgreSQL\n (#25412).\n * Fixed admin’s delete confirmation page’s summary counts of related\n objects (#25883).\n * Added from __future__ import unicode_literals to the default\n apps.py created by startapp on Python 2 (#25909). Add this line to\n your own apps.py files created using Django 1.9 if you want your\n migrations to work on both Python 2 and Python 3.\n * Prevented QuerySet.delete() from crashing on MySQL when querying\n across relations.\n * Fixed evaluation of zero-length slices of QuerySet.values()\n (#25894).\n * ...\n * https://docs.djangoproject.com/en/1.9/releases/1.9.1/\n \n\n- update to 1.9\n * https://docs.djangoproject.com/en/1.9/releases/1.9/ \n * Performing actions after a transaction commit\n * Password validation\n * Permission mixins for class-based views\n * New styling for 'contrib.admin'\n * Running tests in parallel\n\n- update to 1.8.6:\n * https://docs.djangoproject.com/en/1.8/releases/1.8.5/\n * https://docs.djangoproject.com/en/1.8/releases/1.8.6/\n\n- add missing Requires for python-setuptools (boo#952198)\n /usr/bin/django-admin needs the pkg_resources framework from\n python-setuptools to run properly.\n\n- update to 1.8.4 (CVE-2015-5963):\n * https://docs.djangoproject.com/en/1.8/releases/1.8.4/\n\n- add keyring and verify source signature\n\n- update to 1.8.3:\n * https://docs.djangoproject.com/en/1.8/releases/1.8.3/\n Various bugfixes/security fixes (CVE-2015-5145, boo#937524)\n\n- update to 1.8.2 (CVE-2015-3982):\n * https://docs.djangoproject.com/en/1.8/releases/1.8.2/\n * https://docs.djangoproject.com/en/1.8/releases/1.8.1/\n\n- Update to Django 1.8\n * 'Long-Term Support' (LTS) release\n New features:\n * Model._meta API\n * Multiple template engines\n * Security enhancements\n * New PostgreSQL specific functionality\n * New data types\n * Query Expressions, Conditional Expressions, and Database Functions\n * TestCase data setup\n Backwards incompatible changes:\n * Related object operations are run in a transaction\n * Assigning unsaved objects to relations raises an error\n * Management commands that only accept positional arguments\n * Custom test management command arguments through test runner\n * Model check ensures auto-generated column names are within limits\n specified by database\n * Query relation lookups now check object types\n * select_related() now checks given fields\n * Default EmailField.max_length increased to 254\n * (DROP) Support for PostgreSQL versions older than 9.0\n * (DROP) Support for MySQL versions older than 5.5\n * (DROP) Support for Oracle versions older than 11.1\n * Specific privileges used instead of roles for tests on Oracle\n * ...\n\n- Update to Django 1.7.7:\n Security issues:\n * Denial-of-service possibility with strip_tags()\n * Mitigated possible XSS attack via user-supplied redirect URLs\n Bugfixes:\n * Fixed renaming of classes in migrations where renaming a subclass would\n cause incorrect state to be recorded for objects that referenced the\n superclass (#24354).\n * Stopped writing migration files in dry run mode when merging migration\n conflicts. When makemigrations --merge is called with verbosity=3 the\n migration file is written to stdout (:ticket: 24427).\n\n- Update to Djano 1.7.6:\n Bugfixes\n * Mitigated an XSS attack via properties in\n 'ModelAdmin.readonly_fields'\n * Fixed crash when coercing 'ManyRelatedManager' to a string\n (#24352).\n * Fixed a bug that prevented migrations from adding a foreign key\n constraint when converting an existing field to a foreign key\n (#24447).\n\n- Update to Django 1.7.5:\n Bugfixes\n * Reverted a fix that prevented a migration crash when unapplying\n contrib.contenttypes's or contrib.auth's first migration (#24075)\n due to severe impact on the test performance (#24251) and problems\n in multi-database setups (#24298).\n * Fixed a regression that prevented custom fields inheriting from\n ManyToManyField from being recognized in migrations (#24236).\n * Fixed crash in contrib.sites migrations when a default database\n isn't used (#24332).\n * Added the ability to set the isolation level on PostgreSQL with\n psycopg2 >= 2.4.2 (#24318). It was advertised as a new feature in\n Django 1.6 but it didn't work in practice.\n * Formats for the Azerbaijani locale (az) have been added.\n\n- Update to Django 1.7.4:\n Bugfixes\n * Fixed a migration crash when unapplying ``contrib.contenttypes``’s\n or ``contrib.auth``’s first migration (:ticket:`24075`).\n * Made the migration's ``RenameModel`` operation rename\n ``ManyToManyField`` tables (:ticket:`24135`).\n * Fixed a migration crash on MySQL when migrating from a\n ``OneToOneField`` to a ``ForeignKey`` (:ticket:`24163`).\n * Prevented the ``static.serve`` view from producing\n ``ResourceWarning``\\s in certain circumstances (security fix\n regression, :ticket:`24193`).\n * Fixed schema check for ManyToManyField to look for internal type\n instead of checking class instance, so you can write custom\n m2m-like fields with the same behavior. (:ticket:`24104`).\n\n- Update to Django 1.7.3:\n Security fixes:\n * WSGI header spoofing via underscore/dash conflation.\n * Mitigated possible XSS attack via user-supplied redirect URLs.\n * Denial-of-service attack against django.views.static.serve.\n * Database denial-of-service with ModelMultipleChoiceField.\n Bug fixes:\n * The default iteration count for the PBKDF2 password hasher has been\n increased by 25%. This part of the normal major release process was\n inadvertently omitted in 1.7. This backwards compatible change will not\n affect users who have subclassed\n django.contrib.auth.hashers.PBKDF2PasswordHasher to change the default\n value.\n * Fixed a crash in the CSRF middleware when handling non-ASCII referer \n header (#23815).\n * Fixed a crash in the django.contrib.auth.redirect_to_login view when \n passing a reverse_lazy() result on Python 3 (#24097).\n * Added correct formats for Greek (el) (#23967).\n * Fixed a migration crash when unapplying a migration where multiple \n operations interact with the same model (#24110).\n\n- South has been merged in main Django; provide and obsolete it\n\n- Update to Django 1.7.2:\n * Fixed migration’s renaming of auto-created many-to-many tables\n when changing Meta.db_table (#23630).\n * Fixed a migration crash when adding an explicit id field to a\n model on SQLite (#23702).\n * Added a warning for duplicate models when a module is\n reloaded. Previously a RuntimeError was raised every time two\n models clashed in the app registry. (#23621).\n * Prevented flush from loading initial data for migrated apps\n (#23699).\n * Fixed a makemessages regression in 1.7.1 when STATIC_ROOT has the\n default None value (#23717).\n * Added GeoDjango compatibility with mysqlclient database driver.\n * Fixed MySQL 5.6+ crash with GeometryFields in migrations (#23719).\n * Fixed a migration crash when removing a field that is referenced\n in AlterIndexTogether or AlterUniqueTogether (#23614).\n * Updated the first day of the week in the Ukrainian locale to\n Monday.\n * Added support for transactional spatial metadata initialization on\n SpatiaLite 4.1+ (#23152).\n * Fixed a migration crash that prevented changing a nullable field\n with a default to non-nullable with the same default (#23738).\n * Fixed a migration crash when adding GeometryFields with blank=True\n on PostGIS (#23731).\n * Allowed usage of DateTimeField() as Transform.output_field\n (#23420).\n * Fixed a migration serializing bug involving float('nan') and\n float('inf') (#23770).\n * Fixed a regression where custom form fields having a queryset\n attribute but no limit_choices_to could not be used in a ModelForm\n (#23795).\n * Fixed a custom field type validation error with MySQL backend when\n db_type returned None (#23761).\n * Fixed a migration crash when a field is renamed that is part of an\n index_together (#23859).\n * Fixed squashmigrations to respect the --no-optimize parameter\n (#23799).\n * Made RenameModel reversible (#22248)\n * Avoided unnecessary rollbacks of migrations from other apps when\n migrating backwards (#23410).\n * Fixed a rare query error when using deeply nested subqueries\n (#23605).\n * Fixed a crash in migrations when deleting a field that is part of\n a index/unique_together constraint (#23794).\n * Fixed django.core.files.File.__repr__() when the file’s name\n contains Unicode characters (#23888).\n * Added missing context to the admin’s delete_selected view that\n prevented custom site header, etc. from appearing (#23898).\n * Fixed a regression with dynamically generated inlines and allowed\n field references in the admin (#23754).\n * Fixed an infinite loop bug for certain cyclic migration\n dependencies, and made the error message for cyclic dependencies\n much more helpful.\n * Added missing index_together handling for SQLite (#23880).\n * Fixed a crash when RunSQL SQL content was collected by the schema\n editor, typically when using sqlmigrate (#23909).\n * Fixed a regression in contrib.admin add/change views which caused\n some ModelAdmin methods to receive the incorrect obj value\n (#23934).\n * Fixed runserver crash when socket error message contained Unicode\n characters (#23946).\n * Fixed serialization of type when adding a deconstruct() method\n (#23950).\n * Prevented the SessionAuthenticationMiddleware from setting a\n 'Vary: Cookie' header on all responses (#23939).\n * Fixed a crash when adding blank=True to TextField() on MySQL\n (#23920).\n * Fixed index creation by the migration infrastructure, particularly\n when dealing with PostgreSQL specific {text|varchar}_pattern_ops\n indexes (#23954).\n * Fixed bug in makemigrations that created broken migration files\n when dealing with multiple table inheritance and inheriting from\n more than one model (#23956).\n * Fixed a crash when a MultiValueField has invalid data (#23674).\n * Fixed a crash in the admin when using “Save as new” and also\n deleting a related inline (#23857).\n * Always converted related_name to text (unicode), since that is\n required on Python 3 for interpolation. Removed conversion of\n related_name to text in migration deconstruction (#23455 and\n #23982).\n * Enlarged the sizes of tablespaces which are created by default for\n testing on Oracle (the main tablespace was increased from 200M to\n 300M and the temporary tablespace from 100M to 150M). This was\n required to accommodate growth in Django’s own test suite\n (#23969).\n * Fixed timesince filter translations in Korean (#23989).\n * Fixed the SQLite SchemaEditor to properly add defaults in the\n absence of a user specified default. For example, a CharField with\n blank=True didn’t set existing rows to an empty string which\n resulted in a crash when adding the NOT NULL constraint (#23987).\n * makemigrations no longer prompts for a default value when adding\n TextField() or CharField() without a default (#23405).\n * Fixed a migration crash when adding order_with_respect_to to a\n table with existing rows (#23983).\n * Restored the pre_migrate signal if all apps have migrations\n (#23975).\n * Made admin system checks run for custom AdminSites (#23497).\n * Ensured the app registry is fully populated when unpickling\n models. When an external script (like a queueing infrastructure)\n reloads pickled models, it could crash with an AppRegistryNotReady\n exception (#24007).\n * Added quoting to field indexes in the SQL generated by migrations\n to prevent a crash when the index name requires it (##24015).\n * Added datetime.time support to migrations questioner (#23998).\n * Fixed admindocs crash on apps installed as eggs (#23525).\n * Changed migrations autodetector to generate an AlterModelOptions\n operation instead of DeleteModel and CreateModel operations when\n changing Meta.managed. This prevents data loss when changing\n managed from False to True and vice versa (#24037).\n * Enabled the sqlsequencereset command on apps with migrations\n (#24054).\n * Added tablespace SQL to apps with migrations (#24051).\n * Corrected contrib.sites default site creation in a multiple\n database setup (#24000).\n * Restored support for objects that aren’t str or bytes in\n mark_for_escaping() on Python 3.\n * Supported strings escaped by third-party libraries with the\n __html__ convention in the template engine (#23831).\n * Prevented extraneous DROP DEFAULT SQL in migrations (#23581).\n * Restored the ability to use more than five levels of subqueries\n (#23758).\n * Fixed crash when ValidationError is initialized with a\n ValidationError that is initialized with a dictionary (#24008).\n * Prevented a crash on apps without migrations when running migrate\n --list (#23366).\n\n- Update to Django 1.7.1\n * Allowed related many-to-many fields to be referenced in the admin\n (#23604).\n * Added a more helpful error message if you try to migrate an app\n without first creating the contenttypes table (#22411).\n * Modified migrations dependency algorithm to avoid possible\n infinite recursion.\n * Fixed a UnicodeDecodeError when the flush error message contained\n Unicode characters (#22882).\n * Reinstated missing CHECK SQL clauses which were omitted on some\n backends when not using migrations (#23416).\n * Fixed serialization of type objects in migrations (#22951).\n * Allowed inline and hidden references to admin fields (#23431).\n * The @deconstructible decorator now fails with a ValueError if the\n decorated object cannot automatically be imported (#23418).\n * Fixed a typo in an inlineformset_factory() error message that\n caused a crash (#23451).\n * Restored the ability to use ABSOLUTE_URL_OVERRIDES with the\n 'auth.User' model (#11775). As a side effect, the setting now adds\n a get_absolute_url() method to any model that appears in\n ABSOLUTE_URL_OVERRIDES but doesn’t define get_absolute_url().\n * Avoided masking some ImportError exceptions during application\n loading (#22920).\n * Empty index_together or unique_together model options no longer\n results in infinite migrations (#23452).\n * Fixed crash in contrib.sitemaps if lastmod returned a date rather\n than a datetime (#23403).\n * Allowed migrations to work with app_labels that have the same last\n part (e.g. django.contrib.auth and vendor.auth) (#23483).\n * Restored the ability to deepcopy F objects (#23492).\n * Formats for Welsh (cy) and several Chinese locales (zh_CN,\n zh_Hans, zh_Hant and zh_TW) have been added. Formats for\n Macedonian have been fixed (trailing dot removed, #23532).\n * Added quoting of constraint names in the SQL generated by\n migrations to prevent crash with uppercase characters in the name\n (#23065).\n * Fixed renaming of models with a self-referential many-to-many\n field (ManyToManyField('self')) (#23503).\n * Added the get_extra(), get_max_num(), and get_min_num() hooks to\n GenericInlineModelAdmin (#23539).\n * Made migrations.RunSQL no longer require percent sign\n escaping. This is now consistent with cursor.execute() (#23426).\n * Made the SERIALIZE entry in the TEST dictionary usable (#23421).\n * Fixed bug in migrations that prevented foreign key constraints to\n unmanaged models with a custom primary key (#23415).\n * Added SchemaEditor for MySQL GIS backend so that spatial indexes\n will be created for apps with migrations (#23538).\n * Added SchemaEditor for Oracle GIS backend so that spatial metadata\n and indexes will be created for apps with migrations (#23537).\n * Coerced the related_name model field option to unicode during\n migration generation to generate migrations that work with both\n Python 2 and 3 (#23455).\n * Fixed MigrationWriter to handle builtin types without imports\n (#23560).\n * Fixed deepcopy on ErrorList (#23594).\n * Made the admindocs view to browse view details check if the view\n specified in the URL exists in the URLconf. Previously it was\n possible to import arbitrary packages from the Python path. This\n was not considered a security issue because admindocs is only\n accessible to staff users (#23601).\n * Fixed UnicodeDecodeError crash in AdminEmailHandler with non-ASCII\n characters in the request (#23593).\n * Fixed missing get_or_create and update_or_create on related\n managers causing IntegrityError (#23611).\n * Made urlsafe_base64_decode() return the proper type (byte string)\n on Python 3 (#23333).\n * makemigrations can now serialize timezone-aware values (#23365).\n * Added a prompt to the migrations questioner when removing the null\n constraint from a field to prevent an IntegrityError on existing\n NULL rows (#23609).\n * Fixed generic relations in ModelAdmin.list_filter (#23616).\n * Restored RFC compliance for the SMTP backend on Python 3 (#23063).\n * Fixed a crash while parsing cookies containing invalid content\n (#23638).\n * The system check framework now raises error models.E020 when the\n class method Model.check() is unreachable (#23615).\n * Made the Oracle test database creation drop the test user in the\n event of an unclean exit of a previous test run (#23649).\n * Fixed makemigrations to detect changes to Meta.db_table (#23629).\n * Fixed a regression when feeding the Django test client with an\n empty data string (#21740).\n * Fixed a regression in makemessages where static files were\n unexpectedly ignored (#23583).\n\n- Update to Django 1.7\n * A new built-in database migration system. Notes on upgrading from\n South (a popular third*party application providing migration\n functionality) are also available.\n * A refactored concept of Django applications. Django applications\n are no longer tied to the existence of a models files, and can now\n specify both configuration data and code to be executed as Django\n starts up.\n * Improvements to the model Field API to support migrations and, in\n the future, to enable easy addition of composite-key support to\n Django's ORM.\n * Improvements for custom Manager and QuerySet classes, allowing\n reverse relationship traversal to specify the Manager to use, and\n creation of a Manager from a custom QuerySet class.\n * An extensible system check framework which can assist developers\n in detecting and diagnosing errors.\n Please refer to the release notes for all details and migration\n instructions:\n https://docs.djangoproject.com/en/1.7/releases/1.7/\n- Added python-setuptools as a BuildRequires.\n- Fixed Source URL from Django Project site.\n- Reordered sources.\n- Fixed deduplication to avoid wrong mtimes in pyc files.\n\n- Rename rpmlintrc to %{name}-rpmlintrc.\n Follow the packaging guidelines.\n\n- Update to version 1.6.5, sercurity and important changes:\n + Unexpected code execution using reverse()\n + Caching of anonymous pages could reveal CSRF token\n + MySQL typecasting\n + select_for_update() requires a transaction\n + Issue: Caches may incorrectly be allowed to store and serve private data\n + Issue: Malformed redirect URLs from user input not correctly validated\n\n- Fix update-alternatives\n\n- Update to version 1.6.2:\n + Prevented the base geometry object of a prepared geometry to be garbage\n collected, which could lead to crash Django (#21662).\n + Fixed a crash when executing the changepassword command when the user\n object representation contained non-ASCII characters (#21627).\n + The collectstatic command will raise an error rather than default to\n using the current working directory if STATIC_ROOT is not set. Combined\n with the --clear option, the previous behavior could wipe anything\n below the current working directory (#21581).\n + Fixed mail encoding on Python 3.3.3+ (#21093).\n + Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False,\n the connection wasn’t in autocommit mode but Django pretended it was.\n + Fixed a regression in multiple-table inheritance exclude() queries (#21787).\n + Added missing items to django.utils.timezone.__all__ (#21880).\n + Fixed a field misalignment issue with select_related() and model inheritance (#21413).\n + Fixed join promotion for negated AND conditions (#21748).\n + Oracle database introspection now works with boolean and float fields (#19884).\n + Fixed an issue where lazy objects weren’t actually marked as safe when\n passed through mark_safe() and could end up being double-escaped (#21882).\n\n- Update to version 1.6.1:\n - Most bug fixes are minor; you can find a complete list in the Django 1.6.1\n release notes.\n\n- Update-alternatives also for bash-completion\n\n- Only ghost /etc/alternatives on 12.3 or newer\n\n- Require python-Pillow for image-related functionality\n- Package was renamed from python-django\n- Drop Django-1.2-completion-only-for-bash.patch: Useless\n\n- Update to version 1.6:\n - Please read the release notes\n https://docs.djangoproject.com/en/1.6/releases/1.6\n- Removed Patch2 as it is no needed anymore:\n Django-1.4-CSRF_COOKIE_HTTPONLY-support.patch\n\n- Update to version 1.5.4:\n + Fixed denial-of-service via large passwords\n- Changes from version 1.5.3:\n + Fixed directory traversal with ssi template tag\n\n- Update to 1.5.2:\n - Security release, please check release notes for details:\n https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued\n\n- Update to 1.5.1:\n - Memory leak fix, please read release announcement at\n https://www.djangoproject.com/weblog/2013/mar/28/django-151.\n\n- Update to 1.5:\n - Please read the release notes\n https://docs.djangoproject.com/en/1.5/releases/1.5\n\n- Update to 1.4.3:\n - Security release:\n - Host header poisoning\n - Redirect poisoning\n - Please check release notes for details:\n https://www.djangoproject.com/weblog/2012/dec/10/security\n\n- Add a symlink from /usr/bin/django-admin.py to /usr/bin/django-admin\n\n- Update to 1.4.2:\n - Security release:\n - Host header poisoning\n - Please check release notes for details:\n https://www.djangoproject.com/weblog/2012/oct/17/security\n\n- Update to 1.4.1:\n - Security release:\n - Cross-site scripting in authentication views\n - Denial-of-service in image validation\n - Denial-of-service via get_image_dimensions()\n - Please check release notes for details:\n https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued\n\n- Add patch to support CSRF_COOKIE_HTTPONLY config\n\n- Update to 1.4:\n - Please read the release notes\n https://docs.djangoproject.com/en/dev/releases/1.4\n- Removed Patch2, it was merged on upstream,\n\n- Set license to SDPX style (BSD-3-Clause)\n- Package AUTHORS, LICENE and README files\n- No CFLAGS for noarch package\n- Drop runtime dependency on gettext-tools\n\n- Update to 1.3.1 to fix security issues, please read\n https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued.\n\n- Fix build on SLES_9.\n\n- Update to 1.3 final;\n- Refresh patch empty-ip-2.diff.\n\n- Update to 1.3-rc1;\n- Regenerated spec file with py2pack;\n- No more need to fix wrong line endings;\n- Refresh patch empty-ip-2.diff with -p0.\n\n- Spec file cleanup:\n * Removed empty lines, package authors from description\n * Cleanup duplicates\n * Corrected wrong file endings\n * Added zero-length rpmlint filter\n- Added AUTHORS, LICENSE and doc files\n\n- Update to 1.2.5:\n - This is a security update that fix:\n - Flaw in CSRF handling;\n - Potential XSS in file field rendering.\n\n- Update to 1.2.4:\n - Information leakage in Django administrative interface;\n - Denial-of-service attack in password-reset mechanism.\n- This is a mandatory security update.\n\n- Update to 1.2.3:\n - The patch applied for the security issue covered in Django\n 1.2.2 caused issues with non-ASCII responses using CSRF\n tokens. This has been remedied;\n - The patch also caused issues with some forms, most notably\n the user-editing forms in the Django administrative interface.\n This has been remedied.\n - The packaging manifest did not contain the full list of\n required files. This has been remedied.\n\n- Update to 1.2.2.\n- This is a ciritical security update fixing a default XSS bug!\n\n- Added patch to fix upstream bug 5622: Empty ipaddress raises an error\n\n- Update to 1.2.1.\n\n- Update to 1.2.\n\n- Update to 1.2-rc-1.\n\n- Spec file cleaned with spec-cleaner;\n- Minor manual adjusts on spec file.\n\n- Moved autocomplete file path from /etc/profile.d to\n /etc/bash_completion.d. Then it works with konsole too.\n\n- Update to 1.2-beta-1;\n- Using -q option on prep section of spec file;\n- Using INSTALLED_FILES instead of declaring files;\n- Removed dummy changelog section of spec file;\n- Update completion bash patch.\n\n- Update to 1.1.1 due to security issue described at\n http://www.djangoproject.com/weblog/2009/oct/09/security/\n\n- Removed old tarball file (Django-1.1.tar.bz2).\n\n- Fix python version check.\n\n- Don't require python-sqlite2 for python >= 2.6.\n\n- Build as noarch on factory.\n\n- don't run bash completion on shells other than bash. Avoiding\n error messages produced at login when using other shells.\n\n- Added bash auto-complete to openSUSE.\n\n- update to version 1.1\n- add python-django-rpmlintrc to quiet rpmlint complaints about -lang\n\n- add python-xml to the Requires (./manage.py syncdb crashes\n otherwise)\n\n- update to version 1.0\n- Fix build on SLES9\n\n- update to version 1.0 final\n\n- update to version 0.96.2\n\n- The way simplejson is included in this package is not useful to other\n packages. Removed from provides\n\n- verion 0.96.1 fixes D.o.S attack in the i18n module\n\n- update to version 0.96\n see http://www.djangoproject.com/documentation/release_notes_0.96 for details\n\t - this package provides python-simplejson too.\n\n\t ", title: "Description of the patch", }, { category: "details", text: "openSUSE-2023-77", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0077-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2023:0077-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2023:0077-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/", }, { category: "self", summary: "SUSE Bug 1077714", url: "https://bugzilla.suse.com/1077714", }, { category: "self", summary: "SUSE Bug 1102680", url: "https://bugzilla.suse.com/1102680", }, { category: "self", summary: "SUSE Bug 1208082", url: "https://bugzilla.suse.com/1208082", }, { category: "self", summary: "SUSE Bug 937524", url: "https://bugzilla.suse.com/937524", }, { category: "self", summary: "SUSE Bug 952198", url: "https://bugzilla.suse.com/952198", }, { category: "self", summary: "SUSE Bug 988420", url: "https://bugzilla.suse.com/988420", }, { category: "self", summary: "SUSE CVE CVE-2015-3982 page", url: "https://www.suse.com/security/cve/CVE-2015-3982/", }, { category: "self", summary: "SUSE CVE CVE-2015-5145 page", url: "https://www.suse.com/security/cve/CVE-2015-5145/", }, { category: "self", summary: "SUSE CVE CVE-2015-5963 page", url: "https://www.suse.com/security/cve/CVE-2015-5963/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-14574 page", url: "https://www.suse.com/security/cve/CVE-2018-14574/", }, { category: "self", summary: "SUSE CVE CVE-2018-6188 page", url: "https://www.suse.com/security/cve/CVE-2018-6188/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, { category: "self", summary: "SUSE CVE CVE-2023-24580 page", url: "https://www.suse.com/security/cve/CVE-2023-24580/", }, ], title: "Security update for python-Django", tracking: { current_release_date: "2023-03-20T15:09:03Z", generator: { date: "2023-03-20T15:09:03Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2023:0077-1", initial_release_date: "2023-03-20T15:09:03Z", revision_history: [ { date: "2023-03-20T15:09:03Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-Django-1.11.15-2.1.noarch", product: { name: "python-Django-1.11.15-2.1.noarch", product_id: "python-Django-1.11.15-2.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 12 SP1", product: { name: "SUSE Package Hub 12 SP1", product_id: "SUSE Package Hub 12 SP1", product_identification_helper: { cpe: "cpe:/o:suse:packagehub:12:sp1", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-Django-1.11.15-2.1.noarch as component of SUSE Package Hub 12 SP1", product_id: "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", }, product_reference: "python-Django-1.11.15-2.1.noarch", relates_to_product_reference: "SUSE Package Hub 12 SP1", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3982", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-3982", }, ], notes: [ { category: "general", text: "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2015-3982", url: "https://www.suse.com/security/cve/CVE-2015-3982", }, { category: "external", summary: "SUSE Bug 932265 for CVE-2015-3982", url: "https://bugzilla.suse.com/932265", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2015-3982", }, { cve: "CVE-2015-5145", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5145", }, ], notes: [ { category: "general", text: "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2015-5145", url: "https://www.suse.com/security/cve/CVE-2015-5145", }, { category: "external", summary: "SUSE Bug 937524 for CVE-2015-5145", url: "https://bugzilla.suse.com/937524", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "important", }, ], title: "CVE-2015-5145", }, { cve: "CVE-2015-5963", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5963", }, ], notes: [ { category: "general", text: "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2015-5963", url: "https://www.suse.com/security/cve/CVE-2015-5963", }, { category: "external", summary: "SUSE Bug 941587 for CVE-2015-5963", url: "https://bugzilla.suse.com/941587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2015-5963", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-14574", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-14574", }, ], notes: [ { category: "general", text: "django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-14574", url: "https://www.suse.com/security/cve/CVE-2018-14574", }, { category: "external", summary: "SUSE Bug 1102680 for CVE-2018-14574", url: "https://bugzilla.suse.com/1102680", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 4.2, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2018-14574", }, { cve: "CVE-2018-6188", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6188", }, ], notes: [ { category: "general", text: "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-6188", url: "https://www.suse.com/security/cve/CVE-2018-6188", }, { category: "external", summary: "SUSE Bug 1077714 for CVE-2018-6188", url: "https://bugzilla.suse.com/1077714", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "important", }, ], title: "CVE-2018-6188", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "moderate", }, ], title: "CVE-2018-7537", }, { cve: "CVE-2023-24580", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-24580", }, ], notes: [ { category: "general", text: "An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2023-24580", url: "https://www.suse.com/security/cve/CVE-2023-24580", }, { category: "external", summary: "SUSE Bug 1208082 for CVE-2023-24580", url: "https://bugzilla.suse.com/1208082", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1.noarch", ], }, ], threats: [ { category: "impact", date: "2023-03-20T15:09:03Z", details: "important", }, ], title: "CVE-2023-24580", }, ], }
opensuse-su-2024:13887-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python310-Django-4.2.11-2.1 on GA media
Notes
Title of the patch
python310-Django-4.2.11-2.1 on GA media
Description of the patch
These are all security issues fixed in the python310-Django-4.2.11-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13887
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "python310-Django-4.2.11-2.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the python310-Django-4.2.11-2.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-13887", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13887-1.json", }, { category: "self", summary: "SUSE CVE CVE-2015-3982 page", url: "https://www.suse.com/security/cve/CVE-2015-3982/", }, { category: "self", summary: "SUSE CVE CVE-2015-5145 page", url: "https://www.suse.com/security/cve/CVE-2015-5145/", }, { category: "self", summary: "SUSE CVE CVE-2015-5963 page", url: "https://www.suse.com/security/cve/CVE-2015-5963/", }, { category: "self", summary: "SUSE CVE CVE-2016-7401 page", url: "https://www.suse.com/security/cve/CVE-2016-7401/", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-16984 page", url: "https://www.suse.com/security/cve/CVE-2018-16984/", }, { category: "self", summary: "SUSE CVE CVE-2018-6188 page", url: "https://www.suse.com/security/cve/CVE-2018-6188/", }, { category: "self", summary: "SUSE CVE CVE-2018-7536 page", url: "https://www.suse.com/security/cve/CVE-2018-7536/", }, { category: "self", summary: "SUSE CVE CVE-2018-7537 page", url: "https://www.suse.com/security/cve/CVE-2018-7537/", }, { category: "self", summary: "SUSE CVE CVE-2019-11358 page", url: "https://www.suse.com/security/cve/CVE-2019-11358/", }, { category: "self", summary: "SUSE CVE CVE-2019-12308 page", url: "https://www.suse.com/security/cve/CVE-2019-12308/", }, { category: "self", summary: "SUSE CVE CVE-2019-12781 page", url: "https://www.suse.com/security/cve/CVE-2019-12781/", }, { category: "self", summary: "SUSE CVE CVE-2019-14232 page", url: "https://www.suse.com/security/cve/CVE-2019-14232/", }, { category: "self", summary: "SUSE CVE CVE-2019-19118 page", url: "https://www.suse.com/security/cve/CVE-2019-19118/", }, { category: "self", summary: "SUSE CVE CVE-2019-19844 page", url: "https://www.suse.com/security/cve/CVE-2019-19844/", }, { category: "self", summary: "SUSE CVE CVE-2019-3498 page", url: "https://www.suse.com/security/cve/CVE-2019-3498/", }, { category: "self", summary: "SUSE CVE CVE-2019-6975 page", url: "https://www.suse.com/security/cve/CVE-2019-6975/", }, { category: "self", summary: "SUSE CVE CVE-2020-13254 page", url: "https://www.suse.com/security/cve/CVE-2020-13254/", }, { category: "self", summary: "SUSE CVE CVE-2020-13596 page", url: "https://www.suse.com/security/cve/CVE-2020-13596/", }, { category: "self", summary: "SUSE CVE CVE-2020-24583 page", url: "https://www.suse.com/security/cve/CVE-2020-24583/", }, { category: "self", summary: "SUSE CVE CVE-2020-24584 page", url: "https://www.suse.com/security/cve/CVE-2020-24584/", }, { category: "self", summary: "SUSE CVE CVE-2020-7471 page", url: "https://www.suse.com/security/cve/CVE-2020-7471/", }, { category: "self", summary: "SUSE CVE CVE-2020-9402 page", url: "https://www.suse.com/security/cve/CVE-2020-9402/", }, { category: "self", summary: "SUSE CVE CVE-2021-31542 page", url: "https://www.suse.com/security/cve/CVE-2021-31542/", }, { category: "self", summary: "SUSE CVE CVE-2021-32052 page", url: "https://www.suse.com/security/cve/CVE-2021-32052/", }, { category: "self", summary: "SUSE CVE CVE-2021-33203 page", url: "https://www.suse.com/security/cve/CVE-2021-33203/", }, { category: "self", summary: "SUSE CVE CVE-2021-33571 page", url: "https://www.suse.com/security/cve/CVE-2021-33571/", }, { category: "self", summary: "SUSE CVE CVE-2021-35042 page", url: "https://www.suse.com/security/cve/CVE-2021-35042/", }, ], title: "python310-Django-4.2.11-2.1 on GA media", tracking: { current_release_date: "2024-06-15T00:00:00Z", generator: { date: "2024-06-15T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:13887-1", initial_release_date: "2024-06-15T00:00:00Z", revision_history: [ { date: "2024-06-15T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python310-Django-4.2.11-2.1.aarch64", product: { name: "python310-Django-4.2.11-2.1.aarch64", product_id: "python310-Django-4.2.11-2.1.aarch64", }, }, { category: "product_version", name: "python311-Django-4.2.11-2.1.aarch64", product: { name: "python311-Django-4.2.11-2.1.aarch64", product_id: "python311-Django-4.2.11-2.1.aarch64", }, }, { category: "product_version", name: "python312-Django-4.2.11-2.1.aarch64", product: { name: "python312-Django-4.2.11-2.1.aarch64", product_id: "python312-Django-4.2.11-2.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "python310-Django-4.2.11-2.1.ppc64le", product: { name: "python310-Django-4.2.11-2.1.ppc64le", product_id: "python310-Django-4.2.11-2.1.ppc64le", }, }, { category: "product_version", name: "python311-Django-4.2.11-2.1.ppc64le", product: { name: "python311-Django-4.2.11-2.1.ppc64le", product_id: "python311-Django-4.2.11-2.1.ppc64le", }, }, { category: "product_version", name: "python312-Django-4.2.11-2.1.ppc64le", product: { name: "python312-Django-4.2.11-2.1.ppc64le", product_id: "python312-Django-4.2.11-2.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "python310-Django-4.2.11-2.1.s390x", product: { name: "python310-Django-4.2.11-2.1.s390x", product_id: "python310-Django-4.2.11-2.1.s390x", }, }, { category: "product_version", name: "python311-Django-4.2.11-2.1.s390x", product: { name: "python311-Django-4.2.11-2.1.s390x", product_id: "python311-Django-4.2.11-2.1.s390x", }, }, { category: "product_version", name: "python312-Django-4.2.11-2.1.s390x", product: { name: "python312-Django-4.2.11-2.1.s390x", product_id: "python312-Django-4.2.11-2.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "python310-Django-4.2.11-2.1.x86_64", product: { name: "python310-Django-4.2.11-2.1.x86_64", product_id: "python310-Django-4.2.11-2.1.x86_64", }, }, { category: "product_version", name: "python311-Django-4.2.11-2.1.x86_64", product: { name: "python311-Django-4.2.11-2.1.x86_64", product_id: "python311-Django-4.2.11-2.1.x86_64", }, }, { category: "product_version", name: "python312-Django-4.2.11-2.1.x86_64", product: { name: "python312-Django-4.2.11-2.1.x86_64", product_id: "python312-Django-4.2.11-2.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python310-Django-4.2.11-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", }, product_reference: "python310-Django-4.2.11-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django-4.2.11-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", }, product_reference: "python310-Django-4.2.11-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django-4.2.11-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", }, product_reference: "python310-Django-4.2.11-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python310-Django-4.2.11-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", }, product_reference: "python310-Django-4.2.11-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django-4.2.11-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", }, product_reference: "python311-Django-4.2.11-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django-4.2.11-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", }, product_reference: "python311-Django-4.2.11-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django-4.2.11-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", }, product_reference: "python311-Django-4.2.11-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python311-Django-4.2.11-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", }, product_reference: "python311-Django-4.2.11-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django-4.2.11-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", }, product_reference: "python312-Django-4.2.11-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django-4.2.11-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", }, product_reference: "python312-Django-4.2.11-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django-4.2.11-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", }, product_reference: "python312-Django-4.2.11-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "python312-Django-4.2.11-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", }, product_reference: "python312-Django-4.2.11-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2015-3982", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-3982", }, ], notes: [ { category: "general", text: "The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the session key.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-3982", url: "https://www.suse.com/security/cve/CVE-2015-3982", }, { category: "external", summary: "SUSE Bug 932265 for CVE-2015-3982", url: "https://bugzilla.suse.com/932265", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-3982", }, { cve: "CVE-2015-5145", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5145", }, ], notes: [ { category: "general", text: "validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5145", url: "https://www.suse.com/security/cve/CVE-2015-5145", }, { category: "external", summary: "SUSE Bug 937524 for CVE-2015-5145", url: "https://bugzilla.suse.com/937524", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2015-5145", }, { cve: "CVE-2015-5963", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2015-5963", }, ], notes: [ { category: "general", text: "contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service (session store consumption or session record removal) via a large number of requests to contrib.auth.views.logout, which triggers the creation of an empty session record.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2015-5963", url: "https://www.suse.com/security/cve/CVE-2015-5963", }, { category: "external", summary: "SUSE Bug 941587 for CVE-2015-5963", url: "https://bugzilla.suse.com/941587", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2015-5963", }, { cve: "CVE-2016-7401", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2016-7401", }, ], notes: [ { category: "general", text: "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2016-7401", url: "https://www.suse.com/security/cve/CVE-2016-7401", }, { category: "external", summary: "SUSE Bug 1001374 for CVE-2016-7401", url: "https://bugzilla.suse.com/1001374", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2016-7401", }, { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-16984", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16984", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the \"view\" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16984", url: "https://www.suse.com/security/cve/CVE-2018-16984", }, { category: "external", summary: "SUSE Bug 1109621 for CVE-2018-16984", url: "https://bugzilla.suse.com/1109621", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-16984", }, { cve: "CVE-2018-6188", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6188", }, ], notes: [ { category: "general", text: "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-6188", url: "https://www.suse.com/security/cve/CVE-2018-6188", }, { category: "external", summary: "SUSE Bug 1077714 for CVE-2018-6188", url: "https://bugzilla.suse.com/1077714", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2018-6188", }, { cve: "CVE-2018-7536", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7536", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7536", url: "https://www.suse.com/security/cve/CVE-2018-7536", }, { category: "external", summary: "SUSE Bug 1083304 for CVE-2018-7536", url: "https://bugzilla.suse.com/1083304", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7536", }, { cve: "CVE-2018-7537", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-7537", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-7537", url: "https://www.suse.com/security/cve/CVE-2018-7537", }, { category: "external", summary: "SUSE Bug 1083305 for CVE-2018-7537", url: "https://bugzilla.suse.com/1083305", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2018-7537", }, { cve: "CVE-2019-11358", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], notes: [ { category: "general", text: "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-11358", url: "https://www.suse.com/security/cve/CVE-2019-11358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-11358", }, { cve: "CVE-2019-12308", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12308", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12308", url: "https://www.suse.com/security/cve/CVE-2019-12308", }, { category: "external", summary: "SUSE Bug 1136468 for CVE-2019-12308", url: "https://bugzilla.suse.com/1136468", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12308", }, { cve: "CVE-2019-12781", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-12781", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-12781", url: "https://www.suse.com/security/cve/CVE-2019-12781", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-12781", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-12781", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-12781", }, { cve: "CVE-2019-14232", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-14232", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-14232", url: "https://www.suse.com/security/cve/CVE-2019-14232", }, { category: "external", summary: "SUSE Bug 1142880 for CVE-2019-14232", url: "https://bugzilla.suse.com/1142880", }, { category: "external", summary: "SUSE Bug 1215978 for CVE-2019-14232", url: "https://bugzilla.suse.com/1215978", }, { category: "external", summary: "SUSE Bug 1220358 for CVE-2019-14232", url: "https://bugzilla.suse.com/1220358", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2019-14232", }, { cve: "CVE-2019-19118", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19118", }, ], notes: [ { category: "general", text: "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19118", url: "https://www.suse.com/security/cve/CVE-2019-19118", }, { category: "external", summary: "SUSE Bug 1157705 for CVE-2019-19118", url: "https://bugzilla.suse.com/1157705", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19118", }, { cve: "CVE-2019-19844", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19844", }, ], notes: [ { category: "general", text: "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19844", url: "https://www.suse.com/security/cve/CVE-2019-19844", }, { category: "external", summary: "SUSE Bug 1159447 for CVE-2019-19844", url: "https://bugzilla.suse.com/1159447", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-19844", }, { cve: "CVE-2019-3498", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-3498", }, ], notes: [ { category: "general", text: "In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-3498", url: "https://www.suse.com/security/cve/CVE-2019-3498", }, { category: "external", summary: "SUSE Bug 1120932 for CVE-2019-3498", url: "https://bugzilla.suse.com/1120932", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-3498", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "low", }, ], title: "CVE-2019-3498", }, { cve: "CVE-2019-6975", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-6975", }, ], notes: [ { category: "general", text: "Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-6975", url: "https://www.suse.com/security/cve/CVE-2019-6975", }, { category: "external", summary: "SUSE Bug 1124991 for CVE-2019-6975", url: "https://bugzilla.suse.com/1124991", }, { category: "external", summary: "SUSE Bug 1139945 for CVE-2019-6975", url: "https://bugzilla.suse.com/1139945", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2019-6975", }, { cve: "CVE-2020-13254", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13254", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13254", url: "https://www.suse.com/security/cve/CVE-2020-13254", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13254", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13254", }, { cve: "CVE-2020-13596", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-13596", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-13596", url: "https://www.suse.com/security/cve/CVE-2020-13596", }, { category: "external", summary: "SUSE Bug 1172166 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172166", }, { category: "external", summary: "SUSE Bug 1172167 for CVE-2020-13596", url: "https://bugzilla.suse.com/1172167", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2020-13596", }, { cve: "CVE-2020-24583", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24583", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24583", url: "https://www.suse.com/security/cve/CVE-2020-24583", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24583", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-24583", }, { cve: "CVE-2020-24584", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-24584", }, ], notes: [ { category: "general", text: "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-24584", url: "https://www.suse.com/security/cve/CVE-2020-24584", }, { category: "external", summary: "SUSE Bug 1175784 for CVE-2020-24584", url: "https://bugzilla.suse.com/1175784", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-24584", }, { cve: "CVE-2020-7471", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-7471", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-7471", url: "https://www.suse.com/security/cve/CVE-2020-7471", }, { category: "external", summary: "SUSE Bug 1161919 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161919", }, { category: "external", summary: "SUSE Bug 1161920 for CVE-2020-7471", url: "https://bugzilla.suse.com/1161920", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-7471", }, { cve: "CVE-2020-9402", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-9402", }, ], notes: [ { category: "general", text: "Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-9402", url: "https://www.suse.com/security/cve/CVE-2020-9402", }, { category: "external", summary: "SUSE Bug 1165022 for CVE-2020-9402", url: "https://bugzilla.suse.com/1165022", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2020-9402", }, { cve: "CVE-2021-31542", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-31542", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-31542", url: "https://www.suse.com/security/cve/CVE-2021-31542", }, { category: "external", summary: "SUSE Bug 1185623 for CVE-2021-31542", url: "https://bugzilla.suse.com/1185623", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-31542", }, { cve: "CVE-2021-32052", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-32052", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-32052", url: "https://www.suse.com/security/cve/CVE-2021-32052", }, { category: "external", summary: "SUSE Bug 1185713 for CVE-2021-32052", url: "https://bugzilla.suse.com/1185713", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-32052", }, { cve: "CVE-2021-33203", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33203", }, ], notes: [ { category: "general", text: "Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33203", url: "https://www.suse.com/security/cve/CVE-2021-33203", }, { category: "external", summary: "SUSE Bug 1186608 for CVE-2021-33203", url: "https://bugzilla.suse.com/1186608", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 4.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "moderate", }, ], title: "CVE-2021-33203", }, { cve: "CVE-2021-33571", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-33571", }, ], notes: [ { category: "general", text: "In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-33571", url: "https://www.suse.com/security/cve/CVE-2021-33571", }, { category: "external", summary: "SUSE Bug 1186611 for CVE-2021-33571", url: "https://bugzilla.suse.com/1186611", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "important", }, ], title: "CVE-2021-33571", }, { cve: "CVE-2021-35042", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-35042", }, ], notes: [ { category: "general", text: "Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-35042", url: "https://www.suse.com/security/cve/CVE-2021-35042", }, { category: "external", summary: "SUSE Bug 1187785 for CVE-2021-35042", url: "https://bugzilla.suse.com/1187785", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python310-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python311-Django-4.2.11-2.1.x86_64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.aarch64", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.ppc64le", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.s390x", "openSUSE Tumbleweed:python312-Django-4.2.11-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-06-15T00:00:00Z", details: "critical", }, ], title: "CVE-2021-35042", }, ], }
opensuse-su-2018:0632-1
Vulnerability from csaf_opensuse
Published
2018-03-07 13:14
Modified
2018-03-07 13:14
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
Update to version 1.11.10 LTS
* Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233,
CVE-2017-12794
Patchnames
openSUSE-2018-236
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for python-Django", title: "Title of the patch", }, { category: "description", text: "This update for python-Django fixes the following issues:\n Update to version 1.11.10 LTS\n * Fixes CVE-2018-6188 boo#1077714, CVE-2017-7234, CVE-2017-7233,\n CVE-2017-12794\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-2018-236", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2018_0632-1.json", }, { category: "self", summary: "SUSE Bug 1077714", url: "https://bugzilla.suse.com/1077714", }, { category: "self", summary: "SUSE CVE CVE-2017-12794 page", url: "https://www.suse.com/security/cve/CVE-2017-12794/", }, { category: "self", summary: "SUSE CVE CVE-2017-7233 page", url: "https://www.suse.com/security/cve/CVE-2017-7233/", }, { category: "self", summary: "SUSE CVE CVE-2017-7234 page", url: "https://www.suse.com/security/cve/CVE-2017-7234/", }, { category: "self", summary: "SUSE CVE CVE-2018-6188 page", url: "https://www.suse.com/security/cve/CVE-2018-6188/", }, ], title: "Security update for python-Django", tracking: { current_release_date: "2018-03-07T13:14:36Z", generator: { date: "2018-03-07T13:14:36Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2018:0632-1", initial_release_date: "2018-03-07T13:14:36Z", revision_history: [ { date: "2018-03-07T13:14:36Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "python-Django-1.11.10-5.1.noarch", product: { name: "python-Django-1.11.10-5.1.noarch", product_id: "python-Django-1.11.10-5.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 12", product: { name: "SUSE Package Hub 12", product_id: "SUSE Package Hub 12", product_identification_helper: { cpe: "cpe:/o:suse:packagehub:12", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "python-Django-1.11.10-5.1.noarch as component of SUSE Package Hub 12", product_id: "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", }, product_reference: "python-Django-1.11.10-5.1.noarch", relates_to_product_reference: "SUSE Package Hub 12", }, ], }, vulnerabilities: [ { cve: "CVE-2017-12794", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12794", }, ], notes: [ { category: "general", text: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12794", url: "https://www.suse.com/security/cve/CVE-2017-12794", }, { category: "external", summary: "SUSE Bug 1056284 for CVE-2017-12794", url: "https://bugzilla.suse.com/1056284", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-03-07T13:14:36Z", details: "moderate", }, ], title: "CVE-2017-12794", }, { cve: "CVE-2017-7233", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7233", }, ], notes: [ { category: "general", text: "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7233", url: "https://www.suse.com/security/cve/CVE-2017-7233", }, { category: "external", summary: "SUSE Bug 1031450 for CVE-2017-7233", url: "https://bugzilla.suse.com/1031450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-03-07T13:14:36Z", details: "low", }, ], title: "CVE-2017-7233", }, { cve: "CVE-2017-7234", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7234", }, ], notes: [ { category: "general", text: "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7234", url: "https://www.suse.com/security/cve/CVE-2017-7234", }, { category: "external", summary: "SUSE Bug 1031451 for CVE-2017-7234", url: "https://bugzilla.suse.com/1031451", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-03-07T13:14:36Z", details: "low", }, ], title: "CVE-2017-7234", }, { cve: "CVE-2018-6188", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-6188", }, ], notes: [ { category: "general", text: "django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2018-6188", url: "https://www.suse.com/security/cve/CVE-2018-6188", }, { category: "external", summary: "SUSE Bug 1077714 for CVE-2018-6188", url: "https://bugzilla.suse.com/1077714", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "SUSE Package Hub 12:python-Django-1.11.10-5.1.noarch", ], }, ], threats: [ { category: "impact", date: "2018-03-07T13:14:36Z", details: "important", }, ], title: "CVE-2018-6188", }, ], }
fkie_cve-2017-12794
Vulnerability from fkie_nvd
Published
2017-09-07 13:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/100643 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securitytracker.com/id/1039264 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://usn.ubuntu.com/3559-1/ | ||
| cve@mitre.org | https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/100643 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1039264 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3559-1/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | django | 1.10.0 | |
| djangoproject | django | 1.10.1 | |
| djangoproject | django | 1.10.2 | |
| djangoproject | django | 1.10.3 | |
| djangoproject | django | 1.10.4 | |
| djangoproject | django | 1.10.5 | |
| djangoproject | django | 1.10.6 | |
| djangoproject | django | 1.10.7 | |
| djangoproject | django | 1.11.0 | |
| djangoproject | django | 1.11.1 | |
| djangoproject | django | 1.11.2 | |
| djangoproject | django | 1.11.3 | |
| djangoproject | django | 1.11.4 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "5D2541CE-0462-46DF-BDD8-C19D6E45140B", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*", matchCriteriaId: "2CE31960-7C68-42F3-B215-B30A87DB67CC", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*", matchCriteriaId: "B3838B8E-8F0E-4F7A-88E6-FFF2590E5302", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*", matchCriteriaId: "0D6C6214-7946-4025-84E6-59448CFE75B1", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*", matchCriteriaId: "58182835-CB1F-4490-AE65-90601DBFD0D5", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*", matchCriteriaId: "04AE04CD-E923-4630-9BAA-5A4D5A5D0055", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*", matchCriteriaId: "2517FB1C-B732-432B-9F27-EE60F6556433", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.10.7:*:*:*:*:*:*:*", matchCriteriaId: "28F4BB27-B6AF-47AD-9301-DDFF4198B9F1", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*", matchCriteriaId: "CC58EB0F-6DE0-450B-A963-2CA4084BDE71", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.11.1:*:*:*:*:*:*:*", matchCriteriaId: "437E4D87-F5C9-4954-9882-396C0ADF649E", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.11.2:*:*:*:*:*:*:*", matchCriteriaId: "D64C7397-B2A8-4C93-AC09-337E243A7483", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.11.3:*:*:*:*:*:*:*", matchCriteriaId: "4F3CDEA7-EFB7-4F4B-872B-1D18CDE340CB", vulnerable: true, }, { criteria: "cpe:2.3:a:djangoproject:django:1.11.4:*:*:*:*:*:*:*", matchCriteriaId: "08EFE4B2-E975-4842-BCAB-528D03F4AB73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", }, { lang: "es", value: "En Django versiones 1.10.x anteriores a la 1.10.8 y versiones 1.11.x anteriores a la 1.11.5, se deshabilitó la función de autoescapado HTML en una parte de la plantilla para la página de depuración technical 500. En las condiciones adecuadas, esto permitiría un ataque de Cross-Site Scripting (XSS). Esta vulnerabilidad no debería afectar a la mayoría de sitios de producción, ya que no se debería ejecutar el programa con \"DEBUG = True\" (lo que hace que esta página sea accesible) en la configuración de producción.", }, ], id: "CVE-2017-12794", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-09-07T13:29:00.467", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100643", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039264", }, { source: "cve@mitre.org", url: "https://usn.ubuntu.com/3559-1/", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100643", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039264", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://usn.ubuntu.com/3559-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
gsd-2017-12794
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.
Aliases
Aliases
{ GSD: { alias: "CVE-2017-12794", description: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", id: "GSD-2017-12794", references: [ "https://www.suse.com/security/cve/CVE-2017-12794.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2017-12794", ], details: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", id: "GSD-2017-12794", modified: "2023-12-13T01:21:03.282803Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-12794", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "USN-3559-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3559-1/", }, { name: "100643", refsource: "BID", url: "http://www.securityfocus.com/bid/100643", }, { name: "1039264", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039264", }, { name: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", refsource: "CONFIRM", url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: ">=1.10.0,<=1.10.7||>=1.11.0,<=1.11.4", affected_versions: "All versions starting from 1.10.0 up to 1.10.7, all versions starting from 1.11.0 up to 1.11.4", credit: "Charles Bideau", cvss_v2: "AV:N/AC:M/Au:N/C:N/I:P/A:N", cvss_v3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", cwe_ids: [ "CWE-1035", "CWE-79", "CWE-937", ], date: "2018-03-16", description: "HTML auto-escaping was disabled in a portion of the template for the technical debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with `DEBUG = True` (which makes this page accessible) in your production settings.", fixed_versions: [ "1.10.8", "1.11.5", ], identifier: "CVE-2017-12794", identifiers: [ "CVE-2017-12794", ], not_impacted: "All versions before 1.10.0, all versions after 1.10.7 before 1.11.0, all versions after 1.11.4", package_slug: "pypi/Django", pubdate: "2017-09-07", solution: "Upgrade to versions 1.10.8, 1.11.5 or above.", title: "Possible XSS in traceback section of technical 500 debug page", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2017-12794", "http://www.securityfocus.com/bid/100643", "http://www.securitytracker.com/id/1039264", "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", ], uuid: "6162a015-8635-4a15-8d7c-dc9321db366f", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.11.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.11.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.11.4:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.7:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.11.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.11.3:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.5:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:djangoproject:django:1.10.6:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2017-12794", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with \"DEBUG = True\" (which makes this page accessible) in your production settings.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", refsource: "CONFIRM", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.djangoproject.com/weblog/2017/sep/05/security-releases/", }, { name: "1039264", refsource: "SECTRACK", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039264", }, { name: "100643", refsource: "BID", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100643", }, { name: "USN-3559-1", refsource: "UBUNTU", tags: [], url: "https://usn.ubuntu.com/3559-1/", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: true, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 2.7, }, }, lastModifiedDate: "2018-03-16T01:29Z", publishedDate: "2017-09-07T13:29Z", }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.