Archiwum problemów bezpieczeństwa¶
Zespół rozwoju Django jest silnie zaangażowany w odpowiedzialne raportowanie i ujawnianie problemów bezpieczeństwa, co zostało opisane w Polityce bezpieczeństwa Django.
W ramach tego zobowiązania, utrzymujemy następującą, historyczną listę problemów, które zostały naprawione i ujawnione. Poniższa lista problemów zawiera datę, krótki opis, identyfikator CVE <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`_ jeśli nadany, listę podatnych wersji, link do pełnego ujawnienia i linki do odpowiednich łatek.
Pewne ważne ostrzeżenia dotyczą tej informacji:
- Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
- The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.
Issues prior to Django’s security process¶
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
August 16, 2006 - CVE-2007-0404¶
Filename validation issue in translation framework. Full description
January 21, 2007 - CVE-2007-0405¶
Apparent „caching” of authenticated user. Full description
Issues under Django’s security process¶
All other security issues have been handled under versions of Django’s security process. These are listed below.
October 26, 2007 - CVE-2007-5712¶
Denial-of-service via arbitrarily-large Accept-Language header. Full
description
May 14, 2008 - CVE-2008-2302¶
XSS via admin login redirect. Full description
September 2, 2008 - CVE-2008-3909¶
CSRF via preservation of POST data during admin login. Full description
July 28, 2009 - CVE-2009-2659¶
Directory-traversal in development server media handler. Full description
October 9, 2009 - CVE-2009-3965¶
Denial-of-service via pathological regular expression performance. Full description
September 8, 2010 - CVE-2010-3082¶
XSS via trusting unsafe cookie value. Full description
December 22, 2010 - CVE-2010-4534¶
Information leakage in administrative interface. Full description
December 22, 2010 - CVE-2010-4535¶
Denial-of-service in password-reset mechanism. Full description
February 8, 2011 - CVE-2011-0696¶
CSRF via forged HTTP headers. Full description
February 8, 2011 - CVE-2011-0697¶
XSS via unsanitized names of uploaded files. Full description
February 8, 2011 - CVE-2011-0698¶
Directory-traversal on Windows via incorrect path-separator handling. Full description
September 9, 2011 - CVE-2011-4136¶
Session manipulation when using memory-cache-backed session. Full description
September 9, 2011 - CVE-2011-4137¶
Denial-of-service via URLField.verify_exists. Full description
September 9, 2011 - CVE-2011-4138¶
Information leakage/arbitrary request issuance via URLField.verify_exists.
Full description
September 9, 2011 - CVE-2011-4139¶
Host header cache poisoning. Full description
September 9, 2011 - CVE-2011-4140¶
Potential CSRF via Host header. Full description
Versions affected¶
This notification was an advisory only, so no patches were issued.
- Django 1.2
- Django 1.3
July 30, 2012 - CVE-2012-3442¶
XSS via failure to validate redirect scheme. Full description
July 30, 2012 - CVE-2012-3443¶
Denial-of-service via compressed image files. Full description
July 30, 2012 - CVE-2012-3444¶
Denial-of-service via large image files. Full description
October 17, 2012 - CVE-2012-4520¶
Host header poisoning. Full description
December 10, 2012 - No CVE 1¶
Additional hardening of Host header handling. Full description
December 10, 2012 - No CVE 2¶
Additional hardening of redirect validation. Full description
February 19, 2013 - No CVE¶
Additional hardening of Host header handling. Full description
February 19, 2013 - CVE-2013-1664 / CVE-2013-1665¶
Entity-based attacks against Python XML libraries. Full description
February 19, 2013 - CVE-2013-0305¶
Information leakage via admin history log. Full description
February 19, 2013 - CVE-2013-0306¶
Denial-of-service via formset max_num bypass. Full description
August 13, 2013 - CVE-2013-4249¶
XSS via admin trusting URLField values. Full description
August 13, 2013 - CVE-2013-6044¶
Possible XSS via unvalidated URL redirect schemes. Full description
September 10, 2013 - CVE-2013-4315¶
Directory-traversal via ssi template tag. Full description
September 14, 2013 - CVE-2013-1443¶
Denial-of-service via large passwords. Full description
Versions affected¶
- Django 1.4 (patch and Python compatibility fix)
- Django 1.5 (patch)
April 21, 2014 - CVE-2014-0472¶
Unexpected code execution using reverse(). Full description
April 21, 2014 - CVE-2014-0473¶
Caching of anonymous pages could reveal CSRF token. Full description
April 21, 2014 - CVE-2014-0474¶
MySQL typecasting causes unexpected query results. Full description
May 18, 2014 - CVE-2014-1418¶
Caches may be allowed to store and serve private data. Full description
May 18, 2014 - CVE-2014-3730¶
Malformed URLs from user input incorrectly validated. Full description
August 20, 2014 - CVE-2014-0480¶
reverse() can generate URLs pointing to other hosts. Full description
August 20, 2014 - CVE-2014-0481¶
File upload denial of service. Full description
August 20, 2014 - CVE-2014-0482¶
RemoteUserMiddleware session hijacking. Full description
August 20, 2014 - CVE-2014-0483¶
Data leakage via querystring manipulation in admin. Full description
January 13, 2015 - CVE-2015-0219¶
WSGI header spoofing via underscore/dash conflation. Full description
January 13, 2015 - CVE-2015-0220¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
January 13, 2015 - CVE-2015-0221¶
Denial-of-service attack against django.views.static.serve(). Full
description
January 13, 2015 - CVE-2015-0222¶
Database denial-of-service with ModelMultipleChoiceField. Full description
March 9, 2015 - CVE-2015-2241¶
XSS attack via properties in ModelAdmin.readonly_fields. Full description
March 18, 2015 - CVE-2015-2316¶
Denial-of-service possibility with strip_tags(). Full description
March 18, 2015 - CVE-2015-2317¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
May 20, 2015 - CVE-2015-3982¶
Fixed session flushing in the cached_db backend. Full description
July 8, 2015 - CVE-2015-5143¶
Denial-of-service possibility by filling session store. Full description
July 8, 2015 - CVE-2015-5144¶
Header injection possibility since validators accept newlines in input. Full description
July 8, 2015 - CVE-2015-5145¶
Denial-of-service possibility in URL validation. Full description
August 18, 2015 - CVE-2015-5963 / CVE-2015-5964¶
Denial-of-service possibility in logout() view by filling session store.
Full description
24 listopada 2015 - CVE-2015-8213¶
Settings leak possibility in date template filter. Full description
1 lutego 2016 - CVE-2016-2048¶
User with „change” but not „add” permission can create objects for
ModelAdmin’s with save_as=True. Full description
1 marca 2016 - CVE-2016-2512¶
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
1 marca 2016 – CVE-2016-2513¶
User enumeration through timing difference on password hasher work factor upgrade. Full description
18 lipca 2016 – CVE-2016-6186¶
XSS w popupie „dodaj/zmień powiązane” panelu administracyjnego. Pełny opis
26 września 2016 – CVE-2016-7401¶
Obejście ochrony CSRF na stronie z Google Analytics. Pełny opis
1 listopada 2016 - CVE-2016-9013¶
Użytkownik z hasłem przydzielonym na sztywno podczas uruchamiania testów w Oracle. Pełny opis
1 listopada 2016 - CVE-2016-9014¶
Podatność ponownego wiązania DNS, kiedy DEBUG=True. Pełny opis <https://www.djangoproject.com/weblog/2016/nov/01/security-releases/>`__
April 4, 2017 - CVE-2017-7233¶
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description
April 4, 2017 - CVE-2017-7234¶
Open redirect vulnerability in django.views.static.serve(). Full
description
September 5, 2017 - CVE-2017-12794¶
Possible XSS in traceback section of technical 500 debug page. Full description
February 1, 2018 - CVE-2018-6188¶
Information leakage in AuthenticationForm. Full description
March 6, 2018 - CVE-2018-7536¶
Denial-of-service possibility in urlize and urlizetrunc template
filters. Full description
March 6, 2018 - CVE-2018-7537¶
Denial-of-service possibility in truncatechars_html and
truncatewords_html template filters. Full description