セキュリティ上の問題のアーカイブ¶
Django の開発チームは、Django のセキュリティポリシー にしたがって、セキュリティに関わる問題を、責任を持って積極的に公表しています。
この活動の一部として、修正・公開した問題の履歴リストをメンテナンスしています。以下のリストには、各問題に対して、日付、短い説明、もし存在すれば CVE identifier 、影響を受けるバージョン、完全な情報開示ページへのリンク、適切なパッチへのリンクが記載されています。
これらの情報に関する重要な注意書き
- 影響を受けるバージョンのリストには、情報公開時点での stable、security-supported リリースのバージョンのみが記載されています。つまり、(セキュリティサポートが切れた) 古いバージョンや pre リリース (alpha/beta/RC) 状態のバージョンは、公開時点で影響を受ける場合にも、リストに書かれていない可能性があるということです。
- The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.
Issues under Django's security process¶
All security issues have been handled under versions of Django's security process. These are listed below.
November 1, 2023 - CVE-2023-46695¶
Potential denial of service vulnerability in UsernameField on Windows.
Full description
October 4, 2023 - CVE-2023-43665¶
Denial-of-service possibility in django.utils.text.Truncator.
Full description
September 4, 2023 - CVE-2023-41164¶
Potential denial of service vulnerability in
django.utils.encoding.uri_to_iri(). Full description
July 3, 2023 - CVE-2023-36053¶
Potential regular expression denial of service vulnerability in
EmailValidator/URLValidator. Full description
May 3, 2023 - CVE-2023-31047¶
Potential bypass of validation when uploading multiple files using one form field. Full description
February 14, 2023 - CVE-2023-24580¶
Potential denial-of-service vulnerability in file uploads. Full description
February 1, 2023 - CVE-2023-23969¶
Potential denial-of-service via Accept-Language headers. Full description
October 4, 2022 - CVE-2022-41323¶
Potential denial-of-service vulnerability in internationalized URLs. Full description
August 3, 2022 - CVE-2022-36359¶
Potential reflected file download vulnerability in FileResponse. Full description
July 4, 2022 - CVE-2022-34265¶
Potential SQL injection via Trunc(kind) and Extract(lookup_name)
arguments. Full description
April 11, 2022 - CVE-2022-28346¶
Potential SQL injection in QuerySet.annotate(), aggregate(), and
extra(). Full description
April 11, 2022 - CVE-2022-28347¶
Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.
Full description
February 1, 2022 - CVE-2022-22818¶
Possible XSS via {% debug %} template tag. Full description
February 1, 2022 - CVE-2022-23833¶
Denial-of-service possibility in file uploads. Full description
January 4, 2022 - CVE-2021-45452¶
Potential directory-traversal via Storage.save(). Full description
January 4, 2022 - CVE-2021-45116¶
Potential information disclosure in dictsort template filter. Full
description
January 4, 2022 - CVE-2021-45115¶
Denial-of-service possibility in UserAttributeSimilarityValidator. Full
description
December 7, 2021 - CVE-2021-44420¶
Potential bypass of an upstream access control based on URL paths. Full description
July 1, 2021 - CVE-2021-35042¶
Potential SQL injection via unsanitized QuerySet.order_by() input. Full
description
June 2, 2021 - CVE-2021-33203¶
Potential directory traversal via admindocs. Full description
June 2, 2021 - CVE-2021-33571¶
Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description
May 6, 2021 - CVE-2021-32052¶
Header injection possibility since URLValidator accepted newlines in input
on Python 3.9.5+. Full description
May 4, 2021 - CVE-2021-31542¶
Potential directory-traversal via uploaded files. Full description
April 6, 2021 - CVE-2021-28658¶
Potential directory-traversal via uploaded files. Full description
February 19, 2021 - CVE-2021-23336¶
Web cache poisoning via django.utils.http.limited_parse_qsl(). Full
description
February 1, 2021 - CVE-2021-3281¶
Potential directory-traversal via archive.extract(). Full description
September 1, 2020 - CVE-2020-24584¶
Permission escalation in intermediate-level directories of the file system cache on Python 3.7+. Full description
September 1, 2020 - CVE-2020-24583¶
Incorrect permissions on intermediate-level directories on Python 3.7+. Full description
June 3, 2020 - CVE-2020-13596¶
Possible XSS via admin ForeignKeyRawIdWidget. Full description
June 3, 2020 - CVE-2020-13254¶
Potential data leakage via malformed memcached keys. Full description
March 4, 2020 - CVE-2020-9402¶
Potential SQL injection via tolerance parameter in GIS functions and
aggregates on Oracle. Full description
February 3, 2020 - CVE-2020-7471¶
StringAgg(delimiter) を通じた潜在的 SQL インジェクション. ` <https://www.djangoproject.com/weblog/2020/feb/03/security-releases/>`__
December 18, 2019 - CVE-2019-19844¶
Potential account hijack via password reset form. Full description
December 2, 2019 - CVE-2019-19118¶
Privilege escalation in the Django admin. Full description
2019年8月1日 - CVE-2019-14235¶
django.utils.encoding.uri_to_iri() におけるメモリ枯渇の可能性。詳細な説明
August 1, 2019 - CVE-2019-14234¶
SQL injection possibility in key and index lookups for
JSONField/HStoreField. Full description
August 1, 2019 - CVE-2019-14233¶
Denial-of-service possibility in strip_tags(). Full description
August 1, 2019 - CVE-2019-14232¶
Denial-of-service possibility in django.utils.text.Truncator. Full
description
July 1, 2019 - CVE-2019-12781¶
Incorrect HTTP detection with reverse-proxy connecting via HTTPS. Full description
June 3, 2019 - CVE-2019-12308¶
XSS via "Current URL" link generated by AdminURLFieldWidget. Full
description
June 3, 2019 - CVE-2019-11358¶
Prototype pollution in bundled jQuery. Full description
2019年2月11日 - CVE-2019-6975¶
django.utils.numberformat.format() におけるメモリ枯渇の問題。詳細な説明
2019年1月4日 - CVE-2019-3498¶
デフォルトの 404 ページにおけるコンテンツスプーフィングの可能性。詳細な説明
2018年10月1日 - CVE-2018-16984¶
Password hash disclosure to 「表示のみ (view only)」の admin ユーザーにパスワードのハッシュが意図せず公開されてしまう問題。詳細な説明
2018年8月1日 - CVE-2018-14574¶
CommonMiddleware におけるオープンリダイレクトの可能性。詳細な説明
2018年3月6日 - CVE-2018-7537¶
truncatechars_html と truncatewords_html テンプレートフィルタにおけるDoS 攻撃の可能性。 詳細な説明
2018年3月6日 - CVE-2018-7536¶
urlize と urlizetrunc テンプレートフィルタにおける DoS 攻撃の可能性。詳細な説明
2018年2月1日 - CVE-2018-6188¶
AuthenticationForm における情報漏えい問題。詳細な説明
2017年9月5日 - CVE-2017-12794¶
Possible XSS in traceback section of technical 500 debug page. Full description
April 4, 2017 - CVE-2017-7234¶
Open redirect vulnerability in django.views.static.serve(). Full
description
April 4, 2017 - CVE-2017-7233¶
Open redirect and possible XSS attack via user-supplied numeric redirect URLs. Full description
November 1, 2016 - CVE-2016-9014¶
DNS rebinding vulnerability when DEBUG=True. Full description
November 1, 2016 - CVE-2016-9013¶
User with hardcoded password created when running tests on Oracle. Full description
September 26, 2016 - CVE-2016-7401¶
CSRF protection bypass on a site with Google Analytics. Full description
July 18, 2016 - CVE-2016-6186¶
XSS in admin's add/change related popup. Full description
March 1, 2016 - CVE-2016-2513¶
User enumeration through timing difference on password hasher work factor upgrade. Full description
March 1, 2016 - CVE-2016-2512¶
Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
February 1, 2016 - CVE-2016-2048¶
User with "change" but not "add" permission can create objects for
ModelAdmin’s with save_as=True. Full description
November 24, 2015 - CVE-2015-8213¶
Settings leak possibility in date template filter. Full description
August 18, 2015 - CVE-2015-5963 / CVE-2015-5964¶
Denial-of-service possibility in logout() view by filling session store.
Full description
July 8, 2015 - CVE-2015-5145¶
Denial-of-service possibility in URL validation. Full description
July 8, 2015 - CVE-2015-5144¶
Header injection possibility since validators accept newlines in input. Full description
July 8, 2015 - CVE-2015-5143¶
Denial-of-service possibility by filling session store. Full description
May 20, 2015 - CVE-2015-3982¶
Fixed session flushing in the cached_db backend. Full description
March 18, 2015 - CVE-2015-2317¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
March 18, 2015 - CVE-2015-2316¶
Denial-of-service possibility with strip_tags(). Full description
March 9, 2015 - CVE-2015-2241¶
XSS attack via properties in ModelAdmin.readonly_fields. Full description
January 13, 2015 - CVE-2015-0222¶
Database denial-of-service with ModelMultipleChoiceField. Full description
January 13, 2015 - CVE-2015-0221¶
Denial-of-service attack against django.views.static.serve(). Full
description
January 13, 2015 - CVE-2015-0220¶
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
January 13, 2015 - CVE-2015-0219¶
WSGI header spoofing via underscore/dash conflation. Full description
August 20, 2014 - CVE-2014-0483¶
Data leakage via querystring manipulation in admin. Full description
August 20, 2014 - CVE-2014-0482¶
RemoteUserMiddleware session hijacking. Full description
August 20, 2014 - CVE-2014-0481¶
File upload denial of service. Full description
August 20, 2014 - CVE-2014-0480¶
reverse() can generate URLs pointing to other hosts. Full description
May 18, 2014 - CVE-2014-3730¶
Malformed URLs from user input incorrectly validated. Full description
May 18, 2014 - CVE-2014-1418¶
Caches may be allowed to store and serve private data. Full description
April 21, 2014 - CVE-2014-0474¶
MySQL typecasting causes unexpected query results. Full description
April 21, 2014 - CVE-2014-0473¶
Caching of anonymous pages could reveal CSRF token. Full description
April 21, 2014 - CVE-2014-0472¶
Unexpected code execution using reverse(). Full description
September 14, 2013 - CVE-2013-1443¶
Denial-of-service via large passwords. Full description
影響を受けるバージョン¶
- Django 1.4 (patch and Python compatibility fix)
- Django 1.5 (patch)
September 10, 2013 - CVE-2013-4315¶
Directory-traversal via ssi template tag. Full description
August 13, 2013 - CVE-2013-6044¶
Possible XSS via unvalidated URL redirect schemes. Full description
August 13, 2013 - CVE-2013-4249¶
XSS via admin trusting URLField values. Full description
February 19, 2013 - CVE-2013-0306¶
Denial-of-service via formset max_num bypass. Full description
February 19, 2013 - CVE-2013-0305¶
Information leakage via admin history log. Full description
February 19, 2013 - CVE-2013-1664 / CVE-2013-1665¶
Entity-based attacks against Python XML libraries. Full description
February 19, 2013 - No CVE¶
Additional hardening of Host header handling. Full description
December 10, 2012 - No CVE 2¶
Additional hardening of redirect validation. Full description
December 10, 2012 - No CVE 1¶
Additional hardening of Host header handling. Full description
October 17, 2012 - CVE-2012-4520¶
Host header poisoning. Full description
July 30, 2012 - CVE-2012-3444¶
Denial-of-service via large image files. Full description
July 30, 2012 - CVE-2012-3443¶
Denial-of-service via compressed image files. Full description
July 30, 2012 - CVE-2012-3442¶
XSS via failure to validate redirect scheme. Full description
September 9, 2011 - CVE-2011-4140¶
Potential CSRF via Host header. Full description
影響を受けるバージョン¶
This notification was an advisory only, so no patches were issued.
- Django 1.2
- Django 1.3
September 9, 2011 - CVE-2011-4139¶
Host header cache poisoning. Full description
September 9, 2011 - CVE-2011-4138¶
Information leakage/arbitrary request issuance via URLField.verify_exists.
Full description
September 9, 2011 - CVE-2011-4137¶
Denial-of-service via URLField.verify_exists. Full description
September 9, 2011 - CVE-2011-4136¶
Session manipulation when using memory-cache-backed session. Full description
February 8, 2011 - CVE-2011-0698¶
Directory-traversal on Windows via incorrect path-separator handling. Full description
February 8, 2011 - CVE-2011-0697¶
XSS via unsanitized names of uploaded files. Full description
February 8, 2011 - CVE-2011-0696¶
CSRF via forged HTTP headers. Full description
December 22, 2010 - CVE-2010-4535¶
Denial-of-service in password-reset mechanism. Full description
December 22, 2010 - CVE-2010-4534¶
Information leakage in administrative interface. Full description
September 8, 2010 - CVE-2010-3082¶
XSS via trusting unsafe cookie value. Full description
October 9, 2009 - CVE-2009-3965¶
Denial-of-service via pathological regular expression performance. Full description
July 28, 2009 - CVE-2009-2659¶
Directory-traversal in development server media handler. Full description
September 2, 2008 - CVE-2008-3909¶
CSRF via preservation of POST data during admin login. Full description
May 14, 2008 - CVE-2008-2302¶
XSS via admin login redirect. Full description
October 26, 2007 - CVE-2007-5712¶
Denial-of-service via arbitrarily-large Accept-Language header. Full
description
Django のセキュリティプロセスで解決される前の問題¶
いくつかのセキュリティ問題については、Django が正式にセキュリティ問題の処理プロセスを確立する以前に修正されました。そのような修正に対しては、新しいリリースが出されたときに修正された CVE が記載されていないことがあります。
January 21, 2007 - CVE-2007-0405¶
Apparent "caching" of authenticated user. Full description
