Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
Vulnerable Library - Django-1.2.tar.gz
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-34265
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsAn issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: 3.2.14
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2019-19844
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsDjango before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27;2.2.9;3.0.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-0474
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Publish Date: 2014-04-23
URL: CVE-2014-0474
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474
Release Date: 2014-04-23
Fix Resolution: 1.4.11
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2015-5143
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
Publish Date: 2015-07-14
URL: CVE-2015-5143
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Release Date: 2015-07-14
Fix Resolution: 1.4.21,1.7.9,1.8.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-0480
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.
Publish Date: 2014-08-26
URL: CVE-2014-0480
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-4140
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
Publish Date: 2011-10-19
URL: CVE-2011-4140
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
Release Date: 2011-10-19
Fix Resolution: 1.2.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2016-2512
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Publish Date: 2016-04-08
URL: CVE-2016-2512
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512
Release Date: 2016-04-08
Fix Resolution: 1.8.10,1.9.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-44420
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsIn Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-07
URL: CVE-2021-44420
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-07
Fix Resolution: 2.2.25
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-0698
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsDirectory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
Publish Date: 2011-02-14
URL: CVE-2011-0698
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0698
Release Date: 2011-02-14
Fix Resolution: 1.2.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2016-6186
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsCross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.
Publish Date: 2016-08-05
URL: CVE-2016-6186
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186
Release Date: 2016-08-05
Fix Resolution: 1.8.14
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-0472
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."
Publish Date: 2014-04-23
URL: CVE-2014-0472
### CVSS 3 Score Details (5.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472
Release Date: 2014-04-23
Fix Resolution: 1.4.11
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2015-0221
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Publish Date: 2015-01-16
URL: CVE-2015-0221
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0221
Release Date: 2015-01-16
Fix Resolution: 1.4.18,1.6.10,1.7.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2015-0219
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsDjango before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Publish Date: 2015-01-16
URL: CVE-2015-0219
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0219
Release Date: 2015-01-16
Fix Resolution: 1.4.18,1.6.10,1.7.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-0473
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.
Publish Date: 2014-04-23
URL: CVE-2014-0473
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473
Release Date: 2014-04-23
Fix Resolution: 1.4.11
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2012-3444
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.
Publish Date: 2012-07-31
URL: CVE-2012-3444
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3444
Release Date: 2012-07-31
Fix Resolution: 1.3.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2012-3443
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.
Publish Date: 2012-07-31
URL: CVE-2012-3443
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3443
Release Date: 2012-07-31
Fix Resolution: 1.4.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-4139
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsDjango before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Publish Date: 2011-10-19
URL: CVE-2011-4139
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4139
Release Date: 2011-10-19
Fix Resolution: 1.2.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-4138
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
Publish Date: 2011-10-19
URL: CVE-2011-4138
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4138
Release Date: 2011-10-19
Fix Resolution: 1.2.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-4137
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
Publish Date: 2011-10-19
URL: CVE-2011-4137
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Release Date: 2011-10-19
Fix Resolution: 1.2.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2010-4535
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
Publish Date: 2011-01-10
URL: CVE-2010-4535
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4535
Release Date: 2011-01-10
Fix Resolution: 1.2.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2014-0482
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.
Publish Date: 2014-08-26
URL: CVE-2014-0482
### CVSS 3 Score Details (5.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482
Release Date: 2014-08-26
Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2011-4136
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability Detailsdjango.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
Publish Date: 2011-10-19
URL: CVE-2011-4136
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Release Date: 2011-10-19
Fix Resolution: 1.2.7
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2010-4534
### Vulnerable Library - Django-1.2.tar.gzA high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz
Path to dependency file: /tests/sca_package/examples/requirements.txt
Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt
Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)
Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c
Found in base branch: main
### Vulnerability DetailsThe administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
Publish Date: 2011-01-10
URL: CVE-2010-4534
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.djangoproject.com/weblog/2010/dec/22/security/
Release Date: 2011-01-10
Fix Resolution: 1.2.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.