Django-1.6.1-py2.py3-none-any.whl: 25 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Path to vulnerable library: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/app-with-already-fixed/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/app-with-constraints/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/with-custom-formatting/requirements.txt,/packages/snyk-fix/test/unit/plugins/python/workspaces/pip-app/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/pip-app-multiple-versions/core/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/pip-app/core/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/pip-app-multiple-versions/lib/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/pip-app/lib/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/pip-app/requirements.txt,/packages/snyk-fix/test/acceptance/plugins/python/handlers/pip-requirements/update-dependencies/workspaces/app-with-already-fixed/core/requirements.txt

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (Django version)	Remediation Possible**
CVE-2022-34265	Critical	9.8	Not Defined	16.4%	Django-1.6.1-py2.py3-none-any.whl	Direct	Django - 3.2.14,4.0.6	✅
CVE-2019-19844	Critical	9.8	Not Defined	22.5%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.11.27;2.2.9;3.0.1	✅
CVE-2014-0474	Critical	9.8	Not Defined	1.7%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.3	✅
CVE-2016-7401	High	7.5	Not Defined	0.8%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.8.15,1.9.10	✅
CVE-2015-5143	High	7.5	Not Defined	13.500001%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.21,1.7.9,1.8.3	✅
CVE-2014-0480	High	7.5	Not Defined	0.5%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.14,1.5.9,1.6.6,1.7.1	✅
CVE-2016-2512	High	7.4	Not Defined	0.3%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.8.10,1.9.3	✅
CVE-2021-44420	High	7.3	Not Defined	0.2%	Django-1.6.1-py2.py3-none-any.whl	Direct	Django - 2.2.25,3.1.14,3.2.10	✅
CVE-2014-1418	Medium	6.5	Not Defined	0.5%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.5	✅
CVE-2016-6186	Medium	6.1	Not Defined	0.4%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.8.14,1.9.8,1.10rc1	✅
CVE-2014-0472	Medium	5.6	Not Defined	1.6%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.3	✅
CVE-2015-2316	Medium	5.3	Not Defined	1.0%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.11,1.7.7,1.8c1	✅
CVE-2015-0222	Medium	5.3	Not Defined	2.8000002%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.10,1.7.3	✅
CVE-2015-0221	Medium	5.3	Not Defined	10.1%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.18,1.6.10,1.7.3	✅
CVE-2015-0219	Medium	5.3	Not Defined	0.8%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.18,1.6.10,1.7.3	✅
CVE-2014-0473	Medium	5.3	Not Defined	0.5%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.3	✅
CVE-2013-1443	Medium	5.3	Not Defined	1.3000001%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.4	✅
CVE-2014-0482	Medium	5.0	Not Defined	0.4%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.14,1.5.9,1.6.6,1.7	✅
CVE-2015-5144	Low	3.7	Not Defined	0.6%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.21,1.7.9,1.8.3	✅
CVE-2015-2317	Low	3.7	Not Defined	0.3%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.20,1.6.11,1.7.7,1.8c1	✅
CVE-2015-0220	Low	3.7	Not Defined	0.70000005%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.18,1.6.10,1.7.3	✅
CVE-2014-3730	Low	3.7	Not Defined	0.5%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.6.5	✅
CVE-2014-0481	Low	3.7	Not Defined	2.3%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.14,1.5.9,1.6.6,1.7.1	✅
CVE-2016-2513	Low	3.1	Not Defined	0.70000005%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.8.10,1.9.3	✅
CVE-2014-0483	Low	3.1	Not Defined	0.2%	Django-1.6.1-py2.py3-none-any.whl	Direct	1.4.14,1.5.9,1.6.6,1.7	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-34265

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.

Publish Date: 2022-07-04

URL: CVE-2022-34265

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 16.4%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Release Date: 2022-07-04

Fix Resolution: Django - 3.2.14,4.0.6

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2019-19844

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Publish Date: 2019-12-18

URL: CVE-2019-19844

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 22.5%

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844

Release Date: 2019-12-18

Fix Resolution: 1.11.27;2.2.9;3.0.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2014-0474

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Publish Date: 2014-04-23

URL: CVE-2014-0474

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.7%

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474

Release Date: 2014-04-23

Fix Resolution: 1.6.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2016-7401

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Publish Date: 2016-10-03

URL: CVE-2016-7401

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.8%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7401

Release Date: 2016-10-03

Fix Resolution: 1.8.15,1.9.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2015-5143

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Publish Date: 2015-07-14

URL: CVE-2015-5143

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 13.500001%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2014-0480

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Publish Date: 2014-08-26

URL: CVE-2014-0480

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2016-2512

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

Publish Date: 2016-04-08

URL: CVE-2016-2512

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

### CVSS 3 Score Details (7.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2512

Release Date: 2016-04-08

Fix Resolution: 1.8.10,1.9.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2021-44420

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Publish Date: 2021-12-07

URL: CVE-2021-44420

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://docs.djangoproject.com/en/3.2/releases/security/

Release Date: 2021-12-07

Fix Resolution: Django - 2.2.25,3.1.14,3.2.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2014-1418

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers.

Publish Date: 2014-05-16

URL: CVE-2014-1418

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-1418

Release Date: 2014-05-16

Fix Resolution: 1.6.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2016-6186

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.

Publish Date: 2016-08-05

URL: CVE-2016-6186

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6186

Release Date: 2016-08-05

Fix Resolution: 1.8.14,1.9.8,1.10rc1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2014-0472

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Publish Date: 2014-04-23

URL: CVE-2014-0472

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.6%

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472

Release Date: 2014-04-23

Fix Resolution: 1.6.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2015-2316

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.

Publish Date: 2015-03-25

URL: CVE-2015-2316

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-2316

Release Date: 2015-03-25

Fix Resolution: 1.6.11,1.7.7,1.8c1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

CVE-2015-0222

### Vulnerable Library - Django-1.6.1-py2.py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/53/c4/28cc8a55aa9bf9579bd496f88505f3a14ff0ed4b1c6954a8ba5ce649a685/Django-1.6.1-py2.py3-none-any.whl

Path to dependency file: /test/acceptance/workspaces/fail-on/pinnable/requirements.txt

Dependency Hierarchy: - :x: **Django-1.6.1-py2.py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe

Found in base branch: main

### Vulnerability Details

ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.

Publish Date: 2015-01-16

URL: CVE-2015-0222

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.8000002%

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0222

Release Date: 2015-01-16

Fix Resolution: 1.6.10,1.7.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

jgeraigery / snyk-cli

Django-1.6.1-py2.py3-none-any.whl: 25 vulnerabilities (highest severity is: 9.8) #78

Vulnerabilities

Details