Django 2.2.26 release notes¶
January 4, 2022
Django 2.2.26 fixes one security issue with severity “medium” and two security issues with severity “low” in 2.2.25.
CVE-2021-45115: Denial-of-service possibility in
UserAttributeSimilarityValidator incurred significant overhead
evaluating submitted password that were artificially large in relative to the
comparison values. On the assumption that access to user registration was
unrestricted this provided a potential vector for a denial-of-service attack.
In order to mitigate this issue, relatively long values are now ignored by
This issue has severity “medium” according to the Django security policy.
CVE-2021-45116: Potential information disclosure in
dictsort template filter¶
Due to leveraging the Django Template Language’s variable resolution logic, the
dictsort template filter was potentially vulnerable to information
disclosure or unintended method calls, if passed a suitably crafted key.
In order to avoid this possibility,
dictsort now works with a restricted
resolution logic, that will not call methods, nor allow indexing on
As a reminder, all untrusted user input should be validated before use.
This issue has severity “low” according to the Django security policy.