ttattl
commented
2 years ago We do not use Django anymore. That was used for the first MVP. Currently, we are using step functions, and lambda in the current version. So please ignore that. I will delete it later. When we finish refactoring.
This PR contains the following updates:
==3.2.9->==3.2.15GitHub Vulnerability Alerts
CVE-2021-44420
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
CVE-2021-45452
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
CVE-2021-45115
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
CVE-2021-45116
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
CVE-2022-28347
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
CVE-2022-28346
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Release Notes
django/django
### [`v3.2.15`](https://togithub.com/django/django/compare/3.2.14...3.2.15) [Compare Source](https://togithub.com/django/django/compare/3.2.14...3.2.15) ### [`v3.2.14`](https://togithub.com/django/django/compare/3.2.13...3.2.14) [Compare Source](https://togithub.com/django/django/compare/3.2.13...3.2.14) ### [`v3.2.13`](https://togithub.com/django/django/compare/3.2.12...3.2.13) [Compare Source](https://togithub.com/django/django/compare/3.2.12...3.2.13) ### [`v3.2.12`](https://togithub.com/django/django/compare/3.2.11...3.2.12) [Compare Source](https://togithub.com/django/django/compare/3.2.11...3.2.12) ### [`v3.2.11`](https://togithub.com/django/django/compare/3.2.10...3.2.11) [Compare Source](https://togithub.com/django/django/compare/3.2.10...3.2.11) ### [`v3.2.10`](https://togithub.com/django/django/compare/3.2.9...3.2.10) [Compare Source](https://togithub.com/django/django/compare/3.2.9...3.2.10)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.