Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-2569.NASLHistoryFeb 22, 2021 - 12:00 a.m.
Debian DLA-2569-1 : python-django security update
2021-02-2200:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
8.3 High
AI Score
Confidence
High
It was discovered that there was a web cache poisoning attack in Django, a popular Python-based web development framework.
This was caused by the unsafe handling of ‘;’ characters in Python’s urllib.parse.parse_qsl method which had been backported to Django’s codebase to fix some other security issues in the past.
For Debian 9 ‘Stretch’, this problem has been fixed in version 1:1.10.7-2+deb9u11.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2569-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(146666);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/19");
script_cve_id("CVE-2021-23336");
script_name(english:"Debian DLA-2569-1 : python-django security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security update.");
script_set_attribute(attribute:"description", value:
"It was discovered that there was a web cache poisoning attack in
Django, a popular Python-based web development framework.
This was caused by the unsafe handling of ';' characters in Python's
urllib.parse.parse_qsl method which had been backported to Django's
codebase to fix some other security issues in the past.
For Debian 9 'Stretch', this problem has been fixed in version
1:1.10.7-2+deb9u11.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/python-django
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/python-django");
# https://security-tracker.debian.org/tracker/source-package/python-django
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?22eb32f6");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-23336");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/15");
script_set_attribute(attribute:"patch_publication_date", value:"2021/02/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-django");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"9.0", prefix:"python-django", reference:"1:1.10.7-2+deb9u11")) flag++;
if (deb_check(release:"9.0", prefix:"python-django-common", reference:"1:1.10.7-2+deb9u11")) flag++;
if (deb_check(release:"9.0", prefix:"python-django-doc", reference:"1:1.10.7-2+deb9u11")) flag++;
if (deb_check(release:"9.0", prefix:"python3-django", reference:"1:1.10.7-2+deb9u11")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | python-django | p-cpe:/a:debian:debian_linux:python-django |
| debian | debian_linux | python-django-common | p-cpe:/a:debian:debian_linux:python-django-common |
| debian | debian_linux | python-django-doc | p-cpe:/a:debian:debian_linux:python-django-doc |
| debian | debian_linux | python3-django | p-cpe:/a:debian:debian_linux:python3-django |
| debian | debian_linux | 9.0 | cpe:/o:debian:debian_linux:9.0 |
Related
nessus
nessus
SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2021:0768-1)
2021-03-12 00:00:00
Fedora 32 : mingw-python3 (2021-309bc2e727)
2021-03-15 00:00:00
SUSE SLES12 Security Update : python36 (SUSE-SU-2021:0887-1)
2021-03-22 00:00:00
openvas
openvas
Fedora: Security Advisory for python39 (FEDORA-2021-7c1bb32d13)
2021-03-01 00:00:00
Fedora: Security Advisory for python-django (FEDORA-2021-1bb399a5af)
2021-03-13 00:00:00
Ubuntu: Security Advisory (USN-4742-1)
2021-02-23 00:00:00
redhatcve
redhatcve
CVE-2021-23336
2021-02-15 20:05:02
fedora
fedora
[SECURITY] Fedora 34 Update: python-django-3.1.7-1.fc34
2021-03-19 20:27:58
[SECURITY] Fedora 34 Update: mingw-python3-3.9.2-2.fc34
2021-03-19 20:28:38
[SECURITY] Fedora 33 Update: mingw-python3-3.9.2-1.fc33
2021-03-15 01:19:58
debiancve
debiancve
CVE-2021-23336
2021-02-15 13:15:00
alpinelinux
alpinelinux
CVE-2021-23336
2021-02-15 13:15:00
mageia
mageia
Updated python and python3 packages fix security vulnerability
2021-04-02 13:16:21
Updated python-django package fixes a security vulnerability
2021-03-15 00:20:42
osv
osv
python-django vulnerability
2021-02-22 14:08:03
python-django - security update
2021-02-19 00:00:00
CVE-2021-23336
2021-02-15 13:15:12
cve
cve
debian
debian
[SECURITY] [DLA 2569-1] python-django security update
2021-02-19 16:24:07
[SECURITY] [DLA 2628-1] python2.7 security update
2021-04-17 19:31:24
[SECURITY] [DLA 2619-1] python3.5 security update
2021-04-05 16:08:19
suse
suse
Security update for python (moderate)
2021-03-17 00:00:00
veracode
veracode
Web Cache Poisoning
2021-02-20 06:44:58
cbl_mariner
cbl_mariner
CVE-2021-23336 affecting package python3 3.7.9-4
2021-07-08 21:56:42
CVE-2021-23336 affecting package python2 2.7.18-8
2022-04-09 06:51:57
CVE-2021-23336 affecting package python2 2.7.18-14
2021-04-06 23:50:12
archlinux
archlinux
[ASA-202102-28] python-django: url request injection
2021-02-20 00:00:00
[ASA-202102-37] python: multiple issues
2021-02-27 00:00:00
[ASA-202103-27] python2: multiple issues
2021-03-25 00:00:00
ubuntu
ubuntu
Django vulnerability
2021-02-22 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2021-0204
2021-03-05 00:00:00
Moderate Photon OS Security Update - PHSA-2021-3.0-0204
2021-03-05 00:00:00
prion
prion
Design/Logic Flaw
2021-02-15 13:15:00
Design/Logic Flaw
2021-01-18 12:15:00
Design/Logic Flaw
2021-05-02 08:15:00
ubuntucve
ubuntucve
CVE-2021-23336
2021-02-15 00:00:00
altlinux
altlinux
amazon
amazon
Medium: python36
2021-05-14 16:53:00
Low: python34
2021-05-20 21:12:00
Medium: python3
2021-05-20 16:15:00
gentoo
gentoo
Python: Multiple vulnerabilities
2021-04-30 00:00:00
almalinux
almalinux
Moderate: python3 security update
2021-05-18 05:42:46
Moderate: python27:2.7 security update
2021-11-09 08:24:39
github
github
Cross-site Scripting in Apache Airflow
2021-06-18 18:43:42
oraclelinux
oraclelinux
python3 security update
2021-05-25 00:00:00
python27:2.7 security update
2021-11-16 00:00:00
python38:3.8 and python38-devel:3.8 security update
2021-11-16 00:00:00
redhat
redhat
(RHSA-2021:1633) Moderate: python3 security update
2021-05-18 05:42:46
(RHSA-2021:4151) Moderate: python27:2.7 security update
2021-11-09 08:24:39
(RHSA-2021:3252) Moderate: python27 security update
2021-08-24 07:29:51
sonarsource
sonarsource
10 Unknown Security Pitfalls for Python
2021-11-16 00:00:00
rocky
rocky
python27:2.7 security update
2021-11-09 08:24:39
fortinet
fortinet
Multiple vulnerabilities in Apache Airflow
2022-06-07 00:00:00