Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (Django version) |
Remediation Possible** |
| CVE-2025-64459 |
 Critical |
9.1 |
Django-3.2.4-py3-none-any.whl |
Direct |
https://github.com/django/django.git - 5.1.14,https://github.com/django/django.git - 4.2.26,django - 5.2.8,https://github.com/django/django.git - 5.2.8,django - 5.1.14,django - 4.2.26 |
✅ |
| CVE-2025-64458 |
 High |
7.5 |
Django-3.2.4-py3-none-any.whl |
Direct |
django - 4.2.26,django - 5.1.14,django - 5.2.8,https://github.com/django/django.git - 5.2.26,https://github.com/django/django.git - 5.2.8,https://github.com/django/django.git - 5.1.14 |
✅ |
| CVE-2024-24680 |
High |
7.5 |
Django-3.2.4-py3-none-any.whl |
Direct |
Django - 3.2.24,4.2.10,5.0.2 |
✅ |
| CVE-2023-43665 |
High |
7.5 |
Django-3.2.4-py3-none-any.whl |
Direct |
Django - 3.2.22,4.1.12,4.2.6 |
✅ |
| CVE-2023-24580 |
High |
7.5 |
Django-3.2.4-py3-none-any.whl |
Direct |
Django - 3.2.18,4.0.10,4.1.7 |
✅ |
| CVE-2023-23969 |
High |
7.5 |
Django-3.2.4-py3-none-any.whl |
Direct |
django - 3.2.17, 4.0.9, 4.1.6 |
✅ |
| CVE-2024-45231 |
 Medium |
5.3 |
Django-3.2.4-py3-none-any.whl |
Direct |
django - 4.2.16,django - 5.1.1,django - 5.0.9 |
❌ |
| CVE-2024-27351 |
Medium |
5.3 |
Django-3.2.4-py3-none-any.whl |
Direct |
Django - 3.2.25,4.2.11,5.0.3 |
✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64459
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-05
Fix Resolution: https://github.com/django/django.git - 5.1.14,https://github.com/django/django.git - 4.2.26,django - 5.2.8,https://github.com/django/django.git - 5.2.8,django - 5.1.14,django - 4.2.26
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-64458
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, "django.http.HttpResponseRedirect", "django.http.HttpResponsePermanentRedirect", and the shortcut "django.shortcuts.redirect" were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64458
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qw25-v68c-qjf3
Release Date: 2025-11-05
Fix Resolution: django - 4.2.26,django - 5.1.14,django - 5.2.8,https://github.com/django/django.git - 5.2.26,https://github.com/django/django.git - 5.2.8,https://github.com/django/django.git - 5.1.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-24680
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Publish Date: 2024-02-06
URL: CVE-2024-24680
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
Release Date: 2024-02-06
Fix Resolution: Django - 3.2.24,4.2.10,5.0.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-43665
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Publish Date: 2023-11-03
URL: CVE-2023-43665
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.22,4.1.12,4.2.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-24580
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Publish Date: 2023-02-15
URL: CVE-2023-24580
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q1/93
Release Date: 2023-02-15
Fix Resolution: Django - 3.2.18,4.0.10,4.1.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-23969
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Publish Date: 2023-02-01
URL: CVE-2023-23969
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
Release Date: 2023-02-01
Fix Resolution: django - 3.2.17, 4.0.9, 4.1.6
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-45231
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Publish Date: 2024-10-08
URL: CVE-2024-45231
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rrqc-c2jx-6jgv
Release Date: 2024-10-08
Fix Resolution: django - 4.2.16,django - 5.1.1,django - 5.0.9
CVE-2024-27351
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
- ❌ Django-3.2.4-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Publish Date: 2024-03-15
URL: CVE-2024-27351
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q1/185
Release Date: 2024-03-15
Fix Resolution: Django - 3.2.25,4.2.11,5.0.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods "QuerySet.filter()", "QuerySet.exclude()", and "QuerySet.get()", and the class "Q()", are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the "_connector" argument.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64459
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-05
Fix Resolution: https://github.com/django/django.git - 5.1.14,https://github.com/django/django.git - 4.2.26,django - 5.2.8,https://github.com/django/django.git - 5.2.8,django - 5.1.14,django - 4.2.26
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence, "django.http.HttpResponseRedirect", "django.http.HttpResponsePermanentRedirect", and the shortcut "django.shortcuts.redirect" were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Publish Date: 2025-11-05
URL: CVE-2025-64458
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qw25-v68c-qjf3
Release Date: 2025-11-05
Fix Resolution: django - 4.2.26,django - 5.1.14,django - 5.2.8,https://github.com/django/django.git - 5.2.26,https://github.com/django/django.git - 5.2.8,https://github.com/django/django.git - 5.1.14
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Publish Date: 2024-02-06
URL: CVE-2024-24680
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
Release Date: 2024-02-06
Fix Resolution: Django - 3.2.24,4.2.10,5.0.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Publish Date: 2023-11-03
URL: CVE-2023-43665
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.22,4.1.12,4.2.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Publish Date: 2023-02-15
URL: CVE-2023-24580
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q1/93
Release Date: 2023-02-15
Fix Resolution: Django - 3.2.18,4.0.10,4.1.7
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Publish Date: 2023-02-01
URL: CVE-2023-23969
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
Release Date: 2023-02-01
Fix Resolution: django - 3.2.17, 4.0.9, 4.1.6
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Publish Date: 2024-10-08
URL: CVE-2024-45231
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rrqc-c2jx-6jgv
Release Date: 2024-10-08
Fix Resolution: django - 4.2.16,django - 5.1.1,django - 5.0.9
Vulnerable Library - Django-3.2.4-py3-none-any.whl
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/ed1943c0ef2be99ade872f49a20aa4cfc70eb4ffc866fc61b128211f3e5d/Django-3.2.4-py3-none-any.whl
Path to dependency file: /data-files/benchmarks/bm_django_template/requirements.txt
Path to vulnerable library: /data-files/benchmarks/bm_django_template/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: b4e24341e4c07ef7401fadd16a39617d287a4d1e
Found in base branch: main
Vulnerability Details
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Publish Date: 2024-03-15
URL: CVE-2024-27351
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q1/185
Release Date: 2024-03-15
Fix Resolution: Django - 3.2.25,4.2.11,5.0.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.