An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters.
This PR contains the following updates:
==4.2.11->==4.2.14GitHub Vulnerability Alerts
CVE-2024-38875
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets.
CVE-2024-39330
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the
django.core.files.storage.Storagebase class, when they overridegenerate_filename()without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during asave()call. (Built-in Storage sub-classes are unaffected.)CVE-2024-39329
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The
django.contrib.auth.backends.ModelBackend.authenticate()method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.CVE-2024-39614
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14.
get_supported_language_variant()was subject to a potential denial-of-service attack when used with very long strings containing specific characters.Release Notes
django/django (Django)
### [`v4.2.14`](https://togithub.com/django/django/compare/4.2.13...4.2.14) [Compare Source](https://togithub.com/django/django/compare/4.2.13...4.2.14) ### [`v4.2.13`](https://togithub.com/django/django/compare/4.2.12...4.2.13) [Compare Source](https://togithub.com/django/django/compare/4.2.12...4.2.13) ### [`v4.2.12`](https://togithub.com/django/django/compare/4.2.11...4.2.12) [Compare Source](https://togithub.com/django/django/compare/4.2.11...4.2.12)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.