BIT-DJANGO-2021-33571

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. validateipv4address and...

Updated python-django package fixes security vulnerabilities

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability CVE-2021-28658. In Django 2.2 before 2.2.21, 3.1 before 3.1.9, an...

CVE-2021-33571

CVE-2021-33571 affects Django: URLValidator, validate_ipv4_address, and validate_ipv46_address fail to prohibit leading zeros in octal literals in affected releases (2.2.x <2.2.24, 3.x <3.1.12, 3.2

Code injection

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an 1 email message to the EmailValidator, a ...

CVE-2015-5144

CVE-2015-5144 affects Django prior to 1.4.21, 1.5.x–1.6.x, 1.7.x prior to 1.7.9, and 1.8.x prior to 1.8.3. The root cause is an incorrect regular expression in built‑in validators, enabling remote attackers to inject arbitrary headers and perform HTTP response splitting via newline characters in ...

CVE-2015-5144

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an 1 email message to the EmailValidator, a ...