Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DLA-3164.NASL
HistoryOct 28, 2022 - 12:00 a.m.

Debian DLA-3164-1 : python-django - LTS security update

2022-10-2800:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29
JSON

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3164 advisory.

  • An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command. (CVE-2020-24583)

  • An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system’s standard umask rather than 0o077. (CVE-2020-24584)

  • The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  • In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by startapp --template and startproject --template) allows directory traversal via an archive with absolute paths or relative paths with dot segments. (CVE-2021-3281)

  • An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3164. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(166698);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/06");

  script_cve_id(
    "CVE-2020-24583",
    "CVE-2020-24584",
    "CVE-2021-3281",
    "CVE-2021-23336",
    "CVE-2022-34265"
  );

  script_name(english:"Debian DLA-3164-1 : python-django - LTS security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3164 advisory.

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python
    3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories
    created in the process of uploading files. It was also not applied to intermediate-level collected static
    directories when using the collectstatic management command. (CVE-2020-24583)

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python
    3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask
    rather than 0o077. (CVE-2020-24584)

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before
    3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and
    urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query
    parameters using a semicolon (;), they can cause a difference in the interpretation of the request between
    the proxy (running with default configuration) and the server. This can result in malicious requests being
    cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and
    therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract
    method (used by startapp --template and startproject --template) allows directory traversal via an
    archive with absolute paths or relative paths with dot segments. (CVE-2021-3281)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()
    database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2022/dla-3164");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-24583");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2020-24584");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-23336");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3281");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-34265");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/python-django");
  script_set_attribute(attribute:"solution", value:
"Upgrade the python-django packages.

For Debian 10 Buster, these problems have been fixed in version 1");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-34265");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python3-django");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '10.0', 'prefix': 'python-django', 'reference': '1:1.11.29-1+deb10u2'},
    {'release': '10.0', 'prefix': 'python-django-common', 'reference': '1:1.11.29-1+deb10u2'},
    {'release': '10.0', 'prefix': 'python-django-doc', 'reference': '1:1.11.29-1+deb10u2'},
    {'release': '10.0', 'prefix': 'python3-django', 'reference': '1:1.11.29-1+deb10u2'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-django / python-django-common / python-django-doc / etc');
}
VendorProductVersionCPE
debiandebian_linuxpython-djangop-cpe:/a:debian:debian_linux:python-django
debiandebian_linuxpython-django-commonp-cpe:/a:debian:debian_linux:python-django-common
debiandebian_linuxpython-django-docp-cpe:/a:debian:debian_linux:python-django-doc
debiandebian_linuxpython3-djangop-cpe:/a:debian:debian_linux:python3-django
debiandebian_linux10.0cpe:/o:debian:debian_linux:10.0

Related

debian 3
osv 28
openvas 44
fedora 21
nessus 31
freebsd 2
ubuntu 5
archlinux 3
altlinux 5
github 4
ubuntucve 5
alpinelinux 5
githubexploit 6
cve 5
veracode 5
redhatcve 5
prion 5
debiancve 5
jvn 1
redhat 1
mageia 3
suse 1
cbl_mariner 3
photon 2
sonarsource 1
debian
debian
[SECURITY] [DLA 3164-1] python-django security update
2022-10-28 17:28:30
[SECURITY] [DLA 2540-1] python-django security update
2021-02-01 18:37:39
[SECURITY] [DLA 2569-1] python-django security update
2021-02-19 16:24:07
osv
osv
python-django - security update
2022-10-27 00:00:00
PYSEC-2020-34
2020-09-01 13:15:00
Django Incorrect Default Permissions
2021-03-18 20:30:01
openvas
openvas
Debian: Security Advisory (DLA-3164-1)
2022-10-30 00:00:00
Ubuntu: Security Advisory (USN-4479-1)
2020-09-02 00:00:00
Fedora: Security Advisory for python-django (FEDORA-2020-6941c0a65b)
2020-09-13 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: python-django-3.0.10-3.fc32
2020-09-12 16:34:37
[SECURITY] Fedora 31 Update: python-django-2.2.16-1.fc31
2020-09-12 16:37:34
[SECURITY] Fedora 33 Update: python-django-3.0.10-3.fc33
2020-09-25 17:14:42
nessus
nessus
FreeBSD : Django -- multiple vulnerabilities (002432c8-ef6a-11ea-ba8f-08002728f74c)
2020-09-08 00:00:00
Fedora 32 : python-django (2020-94407454d7)
2020-09-14 00:00:00
Fedora 31 : python-django (2020-6941c0a65b)
2020-09-14 00:00:00
freebsd
freebsd
Django -- multiple vulnerabilities
2020-09-01 00:00:00
Django -- multiple vulnerabilities
2022-06-21 00:00:00
ubuntu
ubuntu
Django vulnerabilities
2020-09-01 00:00:00
Django vulnerability
2022-07-04 00:00:00
Django vulnerability
2021-02-01 00:00:00
archlinux
archlinux
[ASA-202009-4] python-django: multiple issues
2020-09-03 00:00:00
[ASA-202102-18] python-django: directory traversal
2021-02-07 00:00:00
[ASA-202102-28] python-django: url request injection
2021-02-20 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package python3-module-django version 2.2.19-alt1
2021-02-24 00:00:00
Security fix for the ALT Linux 9 package python3-module-django version 2.2.19-alt1
2021-04-12 00:00:00
Security fix for the ALT Linux 9 package python3-module-django version 2.2.17-alt1
2020-12-11 00:00:00
github
github
Django Incorrect Default Permissions
2021-03-18 20:30:01
Django Incorrect Default Permissions
2021-03-18 20:30:13
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
2022-07-05 00:00:53
ubuntucve
ubuntucve
CVE-2020-24583
2020-09-01 00:00:00
CVE-2020-24584
2020-09-01 00:00:00
CVE-2022-34265
2022-07-04 00:00:00
alpinelinux
alpinelinux
CVE-2022-34265
2022-07-04 16:15:00
CVE-2020-24583
2020-09-01 13:15:00
CVE-2020-24584
2020-09-01 13:15:00
githubexploit
githubexploit
Exploit for SQL Injection in Djangoproject Django
2022-08-24 07:29:30
Exploit for SQL Injection in Djangoproject Django
2022-07-13 13:02:41
Exploit for SQL Injection in Djangoproject Django
2022-09-08 21:22:28
cve
cve
CVE-2020-24584
2020-09-01 13:15:00
CVE-2020-24583
2020-09-01 13:15:00
CVE-2022-34265
2022-07-04 16:15:00
veracode
veracode
Authorization Bypass
2020-09-02 03:58:03
Privilege Escalation
2020-09-02 05:49:52
SQL Injection
2022-07-05 04:15:37
redhatcve
redhatcve
CVE-2020-24583
2020-09-01 13:48:54
CVE-2020-24584
2020-09-01 13:48:55
CVE-2022-34265
2022-07-04 14:36:30
prion
prion
Design/Logic Flaw
2020-09-01 13:15:00
Command injection
2020-09-01 13:15:00
Sql injection
2022-07-04 16:15:00
debiancve
debiancve
CVE-2020-24584
2020-09-01 13:15:00
CVE-2020-24583
2020-09-01 13:15:00
CVE-2022-34265
2022-07-04 16:15:00
jvn
jvn
JVN#12610194: Django Extract and Trunc functions vulnerable to SQL injection
2022-07-12 00:00:00
redhat
redhat
(RHSA-2022:5738) Important: Django 3.2.14 Security Update
2022-07-27 14:32:20
mageia
mageia
Updated python and python3 packages fix security vulnerability
2021-04-02 13:16:21
Updated python-django package fixes a security vulnerability
2021-03-15 00:20:42
Updated python-django packages fix security vulnerability
2022-08-13 05:32:35
suse
suse
Security update for python (moderate)
2021-03-17 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-23336 affecting package python3 3.7.9-4
2021-07-08 21:56:42
CVE-2021-23336 affecting package python2 2.7.18-8
2022-04-09 06:51:57
CVE-2021-23336 affecting package python2 2.7.18-14
2021-04-06 23:50:12
photon
photon
Important Photon OS Security Update - PHSA-2021-0204
2021-03-05 00:00:00
Moderate Photon OS Security Update - PHSA-2021-3.0-0204
2021-03-05 00:00:00
sonarsource
sonarsource
10 Unknown Security Pitfalls for Python
2021-11-16 00:00:00
JSON
Related for DEBIAN_DLA-3164.NASL
debian3osv28openvas44fedora21nessus31freebsd2ubuntu5archlinux3altlinux5github4ubuntucve5alpinelinux5githubexploit6cve5veracode5redhatcve5prion5debiancve5jvn1redhat1mageia3suse1cbl_mariner3photon2sonarsource1