Vulnerability in Django (CVE-2024-24680)

etesync / server

The Etebase server (so you can run your own)

https://www.etesync.com

GNU Affero General Public License v3.0

1.48k stars 75 forks source link

Vulnerability in Django (CVE-2024-24680) #177

Closed helix-loop closed 5 months ago

helix-loop commented 5 months ago

As etebase-server is using Django, I was looking at the version of Django used in etebase-server because of CVE-2024-24680. As referenced in requirements.txt this is 3.2.16, which at least has one vulnerability according to https://docs.djangoproject.com/en/dev/releases/3.2.17/.

Would it be possible to bump Django to 3.2.24 (https://docs.djangoproject.com/en/dev/releases/3.2.24/) and publish a new release of etebase-server?

tasn commented 5 months ago

This code is not actually used. We don't use django directly anymore, we just use the django ORM. We use FastAPI for the server stuff. Please reopen if I misunderstood it, but etesync is not affected based on my understanding.