Archive of security issues

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

Some important caveats apply to this information:

  • Lists of affected versions include only those versions of Django which had stable, security-supported releases at the time of disclosure. This means older versions (whose security support had expired) and versions which were in pre-release (alpha/beta/RC) states at the time of disclosure may have been affected, but are not listed.
  • The Django project has on occasion issued security advisories, pointing out potential security problems which can arise from improper configuration or from other issues outside of Django itself. Some of these advisories have received CVEs; when that is the case, they are listed here, but as they have no accompanying patches or releases, only the description, disclosure and CVE will be listed.

Issues prior to Django’s security process

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

16 de agosto, 2006 - CVE-2007-0404

CVE-2007-0404: Filename validation issue in translation framework. Full description

Versões afetadas

21 de janeiro, 2007 - CVE-2007-0405

CVE-2007-0405: Apparent “caching” of authenticated user. Full description

Versões afetadas

Issues under Django’s security process

All other security issues have been handled under versions of Django’s security process. These are listed below.

26 de outubro, 2007 - CVE-2007-5712

CVE-2007-5712: Denial-of-service via arbitrarily-large Accept-Language header. Full description

Versões afetadas

14 de maio, 2008 - CVE-2008-2302

CVE-2008-2302: XSS via admin login redirect. Full description

Versões afetadas

2 de setembro, 2008 CVE-2008-3909

CVE-2008-3909: CSRF via preservation of POST data during admin login. Full description

Versões afetadas

28 de julho, 2009 - CVE-2009-2659

CVE-2009-2659: Directory-traversal in development server media handler. Full description

Versões afetadas

9 de outubro, 2009 - CVE-2009-3965

CVE-2009-3965: Denial-of-service via pathological regular expression performance. Full description

Versões afetadas

8 de setembro, 2010 - CVE-2010-3082

CVE-2010-3082: XSS via trusting unsafe cookie value. Full description

Versões afetadas

22 de dezembro, 2010 - CVE-2010-4534

CVE-2010-4534: Information leakage in administrative interface. Full description

Versões afetadas

22 de dezembro, 2010 - CVE-2010-4535

CVE-2010-4535: Denial-of-service in password-reset mechanism. Full description

Versões afetadas

8 de fevereiro, 2011 CVE-2011-0696

CVE-2011-0696: CSRF via forged HTTP headers. Full description

Versões afetadas

8 de fevereiro, 2011 CVE-2011-0697

CVE-2011-0697: XSS via unsanitized names of uploaded files. Full description

Versões afetadas

8 de fevereiro, 2011 CVE-2011-0698

CVE-2011-0698: Directory-traversal on Windows via incorrect path-separator handling. Full description

Versões afetadas

9 de setembro, 2011 CVE-2011-4136

CVE-2011-4136: Session manipulation when using memory-cache-backed session. Full description

Versões afetadas

9 de setembro, 2011 CVE-2011-4137

CVE-2011-4137: Denial-of-service via URLField.verify_exists. Full description

Versões afetadas

9 de setembro, 2011 CVE-2011-4138

CVE-2011-4138: Information leakage/arbitrary request issuance via URLField.verify_exists. Full description

Versões afetadas

9 de setembro, 2011 CVE-2011-4139

CVE-2011-4139: Host header cache poisoning. Full description

Versões afetadas

9 de setembro, 2011 CVE-2011-4140

CVE-2011-4140: Potential CSRF via Host header. Full description

Versões afetadas

Esta notificação foi apenas informativa, assim, nenhum patch foi feito.

  • Django 1.2
  • Django 1.3

30 de julho, 2012 - CVE-2012-3442

CVE-2012-3442: XSS via failure to validate redirect scheme. Full description

Versões afetadas

30 de julho, 2012 - CVE-2012-3443

CVE-2012-3443: Denial-of-service via compressed image files. Full description

Versões afetadas

30 de julho, 2012 - CVE-2012-3444

CVE-2012-3444: Denial-of-service via large image files. Full description

Versões afetadas

17 de outubro, 2012 - CVE-2012-4520

CVE-2012-4520: Host header poisoning. Full description

Versões afetadas

10 de dezembro, 2012 - Sem CVE 1

Additional hardening of Host header handling. Full description

Versões afetadas

10 de dezembro, 2012 - CVE-2013-4315

Additional hardening of redirect validation. Full description

Versões afetadas

19 de fevereiro, sem CVE

Additional hardening of Host header handling. Full description

Versões afetadas

19 de fevereiro, CVE-2013-1664/1665

CVE-2013-1664 and CVE-2013-1665: Entity-based attacks against Python XML libraries. Full description

Versões afetadas

19 de fevereiro, CVE-2013-0305

CVE-2013-0305: Information leakage via admin history log. Full description

Versões afetadas

19 de fevereiro, CVE-2013-0306

CVE-2013-0306: Denial-of-service via formset max_num bypass. Full description

Versões afetadas

13 de agosto, CVE-2013-4249

CVE-2013-4249: XSS via admin trusting URLField values. Full description

Versões afetadas

13 de agosto, CVE-2013-6044

CVE-2013-6044: Possible XSS via unvalidated URL redirect schemes. Full description

Versões afetadas

10 de setembro, 2013 - CVE-2013-4315

CVE-2013-4315 Directory-traversal via ssi template tag. Full description

Versões afetadas

14 de novembro, CVE-2013-1443

CVE-2013-1443: Denial-of-service via large passwords. Full description

Versões afetadas

21 de abril, 2014 - CVE-2014-0472

CVE-2014-0472: Unexpected code execution using reverse(). Full description

Versões afetadas

21 de abril, 2014 - CVE-2014-0473

CVE-2014-0473: Caching of anonymous pages could reveal CSRF token. Full description

Versões afetadas

21 de abril, 2014 - CVE-2014-0474

CVE-2014-0474: MySQL typecasting causes unexpected query results. Full description

Versões afetadas

18 de maio, 2014 - CVE-2014-1418

CVE-2014-1418: Caches may be allowed to store and serve private data. Full description

Versões afetadas

18 de maio, 2014 - CVE-2014-3730

CVE-2014-3730: Malformed URLs from user input incorrectly validated. Full description

Versões afetadas

20 de agosto, 2014 - CVE-2014-0480

CVE-2014-0480: reverse() can generate URLs pointing to other hosts. Full description

Versões afetadas

20 de agosto, 2014 - CVE-2014-0481

CVE-2014-0481: File upload denial of service. Full description

Versões afetadas

20 de agosto, 2014 - CVE-2014-0482

CVE-2014-0482: RemoteUserMiddleware session hijacking. Full description

Versões afetadas

20 de agosto, 2014 - CVE-2014-0483

CVE-2014-0483: Data leakage via querystring manipulation in admin. Full description

Versões afetadas

13 de janeiro - CVE-2015-0219

CVE-2015-0219: WSGI header spoofing via underscore/dash conflation. Full description

Versões afetadas

13 de janeiro - CVE-2015-0220

CVE-2015-0220: Mitigated possible XSS attack via user-supplied redirect URLs. Full description

Versões afetadas

13 de janeiro - CVE-2015-0221

CVE-2015-0221: Denial-of-service attack against django.views.static.serve(). Full description

Versões afetadas

13 de janeiro - CVE-2015-0222

CVE-2015-0222: Database denial-of-service with ModelMultipleChoiceField. Full description

Versões afetadas

9 de Março. CVE-2015-2241

CVE-2015-2241: XSS attack via properties in ModelAdmin.readonly_fields. Full description

Versões afetadas

18 de Março. CVE-2015-2316

CVE-2015-2316: Denial-of-service possibility with strip_tags(). Full description

Versões afetadas

18 de Março. CVE-2015-2317

CVE-2015-2317: Mitigated possible XSS attack via user-supplied redirect URLs. Full description

Versões afetadas

20 de maio, 2015 - CVE-2015-3982

CVE-2015-3982: Fixed session flushing in the cached_db backend. Full description

Versões afetadas

8 de julho, 2015 - CVE-2015-5143

CVE-2015-5143: Denial-of-service possibility by filling session store. Full description

Versões afetadas

8 de julho, 2015 - CVE-2015-5144

CVE-2015-5144: Header injection possibility since validators accept newlines in input. Full description

Versões afetadas

8 de julho, 2015 - CVE-2015-5145

CVE-2015-5145: Denial-of-service possibility in URL validation. Full description

Versões afetadas

18 de agosto, 2015 - CVE-2015-5963/CVE-2015-5964

CVE-2015-5963 and CVE-2015-5964: Denial-of-service possibility in logout() view by filling session store. Full description

Versões afetadas

24 de novembro, CVE-2015-8213

CVE-2015-8213: Settings leak possibility in date template filter. Full description

Versões afetadas

Primeiro de Fevereiro. CVE-2016-2048

CVE-2016-2048: Usuário com permissão de “editar” mas não “adicionar” pode criar objetos ModelAdmin com ``save_as=True. Descrição completa

Versões afetadas

Primeiro de Março. CVE-2016-2512

CVE-2016-2512: Redireciona maliciosamente e possibilita ataque XSS através de um redirecionamento enviado pelo usuárioContendo autenticação básica. Descrição completa

Versões afetadas

Primeiro de Março. CVE-2016-2513

CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade. Full description

Versões afetadas

July 18, 2016 - CVE-2016-6186

CVE-2016-6186: XSS in admin’s add/change related popup. Full description

Versões afetadas