Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.
As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).
Beberapa peringatan penting berlaku pada informasi ini:
Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.
CVE-2007-0404: Filename validation issue in translation framework. Full description
Django 0.90 (tambalan)
Django 0.91 (tambalan)
Django 0.95 (tambalan) (diterbitkan Januari 21 2007)
CVE-2007-0405: Apparent “caching” of authenticated user. Full description
Django 0.95 (tambalan)
All other security issues have been handled under versions of Django’s security process. These are listed below.
CVE-2007-5712: Denial-of-service via arbitrarily-large Accept-Language
header. Full description
Django 0.91 (tambalan)
Django 0.95 (tambalan)
Django 0.96 (tambalan)
CVE-2008-2302: XSS via admin login redirect. Full description
Django 0.91 (tambalan)
Django 0.95 (tambalan)
Django 0.96 (tambalan)
CVE-2008-3909: CSRF via preservation of POST data during admin login. Full description
Django 0.91 (tambalan)
Django 0.95 (tambalan)
Django 0.96 (tambalan)
CVE-2009-2659: Directory-traversal in development server media handler. Full description
Django 0.96 (tambalan)
Django 1.0 (tambalan)
CVE-2009-3965: Denial-of-service via pathological regular expression performance. Full description
Django 1.0 (tambalan)
Django 1.1 (tambalan)
CVE-2010-3082: XSS via trusting unsafe cookie value. Full description
Django 1.2 (tambalan)
CVE-2010-4534: Information leakage in administrative interface. Full description
Django 1.1 (tambalan)
Django 1.2 (tambalan)
CVE-2010-4535: Denial-of-service in password-reset mechanism. Full description
Django 1.1 (tambalan)
Django 1.2 (tambalan)
CVE-2011-0696: CSRF via forged HTTP headers. Full description
Django 1.1 (tambalan)
Django 1.2 (tambalan)
CVE-2011-0697: XSS via unsanitized names of uploaded files. Full description
Django 1.1 (tambalan)
Django 1.2 (tambalan)
CVE-2011-0698: Directory-traversal on Windows via incorrect path-separator handling. Full description
Django 1.1 (tambalan)
Django 1.2 (tambalan)
CVE-2011-4136: Session manipulation when using memory-cache-backed session. Full description
Django 1.2 (tambalan)
Django 1.3 (tambalan)
CVE-2011-4137: Denial-of-service via URLField.verify_exists
. Full description
Django 1.2 (tambalan)
Django 1.3 (tambalan)
CVE-2011-4138: Information leakage/arbitrary request issuance via URLField.verify_exists
. Full description
Django 1.2: (tambalan)
Django 1.3: (tambalan)
CVE-2011-4139: Host
header cache poisoning. Full description
Django 1.2 (tambalan)
Django 1.3 (tambalan)
CVE-2011-4140: Potential CSRF via Host
header. Full description
Pemberitahuan ini hanya saran, jadi tidak ada tambalan diterbitkan.
CVE-2012-3442: XSS via failure to validate redirect scheme. Full description
Django 1.3: (tambalan)
Django 1.4: (tambalan)
CVE-2012-3443: Denial-of-service via compressed image files. Full description
Django 1.3: (tambalan)
Django 1.4: (tambalan)
CVE-2012-3444: Denial-of-service via large image files. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
CVE-2012-4520: Host
header poisoning. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
Additional hardening of Host
header handling. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
Additional hardening of redirect validation. Full description
Django 1.3: (tambalan)
Django 1.4: (tambalan)
Additional hardening of Host
header handling. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
CVE-2013-1664 and CVE-2013-1665: Entity-based attacks against Python XML libraries. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
CVE-2013-0305: Information leakage via admin history log. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
CVE-2013-0306: Denial-of-service via formset max_num
bypass. Full description
Django 1.3 (tambalan)
Django 1.4 (tambalan)
CVE-2013-4249: XSS via admin trusting URLField
values. Full description
Django 1.5 (tambalan)
CVE-2013-6044: Possible XSS via unvalidated URL redirect schemes. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
CVE-2013-4315 Directory-traversal via ssi
template tag. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
CVE-2013-1443: Denial-of-service melalui sandi besar. Gambaran penuh
Django 1.4 (patch dan Memperbaiki kesesuaian Python)
Django 1.5 (tambalan)
CVE-2014-0472: Menjalankan ode tidak diharapkan menggunakan reverse()
. Gambaran penuh
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0473: Caching of anonymous pages could reveal CSRF token. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0474: MySQL typecasting causes unexpected query results. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-1418: Caches may be allowed to store and serve private data. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-3730: Malformed URLs from user input incorrectly validated. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0480: reverse() can generate URLs pointing to other hosts. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0481: File upload denial of service. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0482: RemoteUserMiddleware session hijacking. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2014-0483: Data leakage via querystring manipulation in admin. Full description
Django 1.4 (tambalan)
Django 1.5 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2015-0219: WSGI header spoofing via underscore/dash conflation. Full description
Django 1.4 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2015-0220: Mitigated possible XSS attack via user-supplied redirect URLs. Full description
Django 1.4 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2015-0221:
Denial-of-service attack against django.views.static.serve()
.
Full description
Django 1.4 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2015-0222:
Database denial-of-service with ModelMultipleChoiceField
.
Full description
Django 1.6 (tambalan)
Django 1.7 (tambalan)
CVE-2015-2241:
XSS attack via properties in ModelAdmin.readonly_fields
.
Full description
Django 1.7 (tambalan)
Django 1.8 (tambalan)
CVE-2015-2316:
Denial-of-service possibility with strip_tags()
.
Full description
Django 1.6 (tambalan)
Django 1.7 (tambalan)
Django 1.8 (tambalan)
CVE-2015-2317: Mitigated possible XSS attack via user-supplied redirect URLs. Full description
Django 1.4 (tambalan)
Django 1.6 (tambalan)
Django 1.7 (tambalan)
Django 1.8 (tambalan)
CVE-2015-3982: Fixed session flushing in the cached_db backend. Full description
Django 1.8 (tambalan)
CVE-2015-5143: Denial-of-service possibility by filling session store. Full description
Django 1.8 (tambalan)
Django 1.7 (tambalan)
Django 1.4 (tambalan)
CVE-2015-5144: Header injection possibility since validators accept newlines in input. Full description
Django 1.8 (tambalan)
Django 1.7 (tambalan)
Django 1.4 (tambalan)
CVE-2015-5145: Denial-of-service possibility in URL validation. Full description
Django 1.8 (tambalan)
CVE-2015-5963
and
CVE-2015-5964:
Denial-of-service possibility in logout()
view by filling session store.
Full description
Django 1.8 (tambalan)
Django 1.7 (tambalan)
Django 1.4 (tambalan)
CVE-2015-8213:
Settings leak possibility in date
template filter.
Full description
Django 1.8 (tambalan)
Django 1.7 (tambalan)
CVE-2016-2048:
User with “change” but not “add” permission can create objects for ModelAdmin
’s with save_as=True
.
Full description
Django 1.9 (tambalan)
CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth. Full description
Django 1.9 (tambalan)
Django 1.8 (tambalan)
CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade. Full description
Django 1.9 (tambalan)
CVE-2016-6186: XSS in admin’s add/change related popup. Full description
Agt 01, 2016