KDWSS / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
0 stars 0 forks source link

Django-1.2.tar.gz: 31 vulnerabilities (highest severity is: 9.8) #15

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Django version) Remediation Possible**
CVE-2022-34265 Critical 9.8 Django-1.2.tar.gz Direct 3.2.14
CVE-2019-19844 Critical 9.8 Django-1.2.tar.gz Direct 1.11.27;2.2.9;3.0.1
CVE-2014-0474 Critical 9.8 Django-1.2.tar.gz Direct 1.4.11
CVE-2015-5143 High 7.5 Django-1.2.tar.gz Direct 1.4.21,1.7.9,1.8.3
CVE-2014-0480 High 7.5 Django-1.2.tar.gz Direct 1.4.14,1.5.9,1.6.6,1.7.1
CVE-2011-4140 High 7.5 Django-1.2.tar.gz Direct 1.2.7
CVE-2016-2512 High 7.4 Django-1.2.tar.gz Direct 1.8.10,1.9.3
CVE-2021-44420 High 7.3 Django-1.2.tar.gz Direct 2.2.25
CVE-2011-0698 High 7.3 Django-1.2.tar.gz Direct 1.2.5
CVE-2016-6186 Medium 6.1 Django-1.2.tar.gz Direct 1.8.14
CVE-2014-0472 Medium 5.6 Django-1.2.tar.gz Direct 1.4.11
CVE-2015-0221 Medium 5.3 Django-1.2.tar.gz Direct 1.4.18,1.6.10,1.7.3
CVE-2015-0219 Medium 5.3 Django-1.2.tar.gz Direct 1.4.18,1.6.10,1.7.3
CVE-2014-0473 Medium 5.3 Django-1.2.tar.gz Direct 1.4.11
CVE-2012-3444 Medium 5.3 Django-1.2.tar.gz Direct 1.3.3
CVE-2012-3443 Medium 5.3 Django-1.2.tar.gz Direct 1.4.1
CVE-2011-4139 Medium 5.3 Django-1.2.tar.gz Direct 1.2.7
CVE-2011-4138 Medium 5.3 Django-1.2.tar.gz Direct 1.2.7
CVE-2011-4137 Medium 5.3 Django-1.2.tar.gz Direct 1.2.7
CVE-2010-4535 Medium 5.3 Django-1.2.tar.gz Direct 1.2.4
CVE-2014-0482 Medium 5.0 Django-1.2.tar.gz Direct 1.4.14,1.5.9,1.6.6,1.7
CVE-2011-4136 Medium 4.8 Django-1.2.tar.gz Direct 1.2.7
CVE-2010-4534 Medium 4.3 Django-1.2.tar.gz Direct 1.2.4
CVE-2015-5144 Low 3.7 Django-1.2.tar.gz Direct 1.4.21,1.7.9,1.8.3
CVE-2015-2317 Low 3.7 Django-1.2.tar.gz Direct 1.4.20,1.6.11,1.7.7,1.8c1
CVE-2015-0220 Low 3.7 Django-1.2.tar.gz Direct 1.4.18,1.6.10,1.7.3
CVE-2014-0481 Low 3.7 Django-1.2.tar.gz Direct 1.4.14
CVE-2012-3442 Low 3.7 Django-1.2.tar.gz Direct 1.3.2
CVE-2010-3082 Low 3.7 Django-1.2.tar.gz Direct 1.2.2
CVE-2016-2513 Low 3.1 Django-1.2.tar.gz Direct 1.8.10,1.9.3
CVE-2014-0483 Low 3.1 Django-1.2.tar.gz Direct 1.4.14,1.5.9,1.6.6,1.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-34265 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.

Publish Date: 2022-07-04

URL: CVE-2022-34265

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Release Date: 2022-07-04

Fix Resolution: 3.2.14

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-19844 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Publish Date: 2019-12-18

URL: CVE-2019-19844

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844

Release Date: 2019-12-18

Fix Resolution: 1.11.27;2.2.9;3.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0474 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Publish Date: 2014-04-23

URL: CVE-2014-0474

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474

Release Date: 2014-04-23

Fix Resolution: 1.4.11

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-5143 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Publish Date: 2015-07-14

URL: CVE-2015-5143

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0480 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Publish Date: 2014-08-26

URL: CVE-2014-0480

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-4140 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Publish Date: 2011-10-19

URL: CVE-2011-4140

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/

Release Date: 2011-10-19

Fix Resolution: 1.2.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-2512 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

Publish Date: 2016-04-08

URL: CVE-2016-2512

### CVSS 3 Score Details (7.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512

Release Date: 2016-04-08

Fix Resolution: 1.8.10,1.9.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-44420 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Publish Date: 2021-12-07

URL: CVE-2021-44420

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://docs.djangoproject.com/en/3.2/releases/security/

Release Date: 2021-12-07

Fix Resolution: 2.2.25

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-0698 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.

Publish Date: 2011-02-14

URL: CVE-2011-0698

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0698

Release Date: 2011-02-14

Fix Resolution: 1.2.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-6186 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Publish Date: 2016-08-05

URL: CVE-2016-6186

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186

Release Date: 2016-08-05

Fix Resolution: 1.8.14

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0472 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Publish Date: 2014-04-23

URL: CVE-2014-0472

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472

Release Date: 2014-04-23

Fix Resolution: 1.4.11

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-0221 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

Publish Date: 2015-01-16

URL: CVE-2015-0221

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0221

Release Date: 2015-01-16

Fix Resolution: 1.4.18,1.6.10,1.7.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-0219 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

Publish Date: 2015-01-16

URL: CVE-2015-0219

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0219

Release Date: 2015-01-16

Fix Resolution: 1.4.18,1.6.10,1.7.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0473 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

Publish Date: 2014-04-23

URL: CVE-2014-0473

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473

Release Date: 2014-04-23

Fix Resolution: 1.4.11

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2012-3444 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a constant chunk size in all attempts to determine dimensions, which allows remote attackers to cause a denial of service (process or thread consumption) via a large TIFF image.

Publish Date: 2012-07-31

URL: CVE-2012-3444

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3444

Release Date: 2012-07-31

Fix Resolution: 1.3.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2012-3443 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The django.forms.ImageField class in the form system in Django before 1.3.2 and 1.4.x before 1.4.1 completely decompresses image data during image validation, which allows remote attackers to cause a denial of service (memory consumption) by uploading an image file.

Publish Date: 2012-07-31

URL: CVE-2012-3443

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-3443

Release Date: 2012-07-31

Fix Resolution: 1.4.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-4139 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

Publish Date: 2011-10-19

URL: CVE-2011-4139

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4139

Release Date: 2011-10-19

Fix Resolution: 1.2.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-4138 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.

Publish Date: 2011-10-19

URL: CVE-2011-4138

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4138

Release Date: 2011-10-19

Fix Resolution: 1.2.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-4137 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.

Publish Date: 2011-10-19

URL: CVE-2011-4137

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4137

Release Date: 2011-10-19

Fix Resolution: 1.2.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2010-4535 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.

Publish Date: 2011-01-10

URL: CVE-2010-4535

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4535

Release Date: 2011-01-10

Fix Resolution: 1.2.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0482 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Publish Date: 2014-08-26

URL: CVE-2014-0482

### CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-4136 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.

Publish Date: 2011-10-19

URL: CVE-2011-4136

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4136

Release Date: 2011-10-19

Fix Resolution: 1.2.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2010-4534 ### Vulnerable Library - Django-1.2.tar.gz

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8e/d7/c31ff2b5564090955c9c67aa41c7d920f31a3fac019205747835b89dc5bd/Django-1.2.tar.gz

Path to dependency file: /tests/sca_package/examples/requirements.txt

Path to vulnerable library: /tests/sca_package/examples/requirements.txt,/tests/sca_package_2/examples/requirements.txt

Dependency Hierarchy: - :x: **Django-1.2.tar.gz** (Vulnerable Library)

Found in HEAD commit: 4d489b9f7c0daf4e81386f69e00c17d8627c5d9c

Found in base branch: main

### Vulnerability Details

The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.

Publish Date: 2011-01-10

URL: CVE-2010-4534

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2010/dec/22/security/

Release Date: 2011-01-10

Fix Resolution: 1.2.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.