chore(deps): update dependency django to v4 [security]#10829
Open
renovate-bot wants to merge 1 commit into
Open
chore(deps): update dependency django to v4 [security]#10829renovate-bot wants to merge 1 commit into
renovate-bot wants to merge 1 commit into
Conversation
trusted-contributions-gcf
Bot
added
the
kokoro:force-run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==1.8.12→==4.2.26Django Denial-of-service possibility in truncatechars_html and truncatewords_html template filters
CVE-2018-7537 / GHSA-2f9x-5v75-3qv4
More information
Details
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django open redirect
CVE-2017-7234 / GHSA-h4hv-m4h4-mhwg
More information
Details
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the
django.views.static.serve()view could redirect to any other domain, aka an open redirect vulnerability.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django Potential account hijack via password reset form
CVE-2019-19844 / GHSA-vfq6-hq5r-27r6
More information
Details
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
SQL injection in Django
CVE-2020-7471 / GHSA-hmr4-m2h5-33qx
More information
Details
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Path Traversal in Django
CVE-2021-33203 / GHSA-68w8-qjq3-2gfm
More information
Details
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django Cross-site scripting Vulnerability
CVE-2016-6186 / GHSA-c8c8-9472-w52h
More information
Details
Cross-site scripting (XSS) vulnerability in the
dismissChangeRelatedObjectPopupfunction incontrib/admin/static/admin/js/admin/RelatedObjectLookups.jsin Django before 1.8.14, 1.9.x before 1.9.8, and 1.10.x before 1.10rc1 allows remote attackers to inject arbitrary web script or HTML via vectors involving unsafe usage of Element.innerHTML.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django CSRF Protection Bypass
CVE-2016-7401 / GHSA-crhm-qpjc-cm64
More information
Details
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to Reflected File Download attack
CVE-2022-36359 / GHSA-8x94-hmjh-97hq
More information
Details
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django user with hardcoded password created when running tests on Oracle
CVE-2016-9013 / GHSA-mv8g-fhh6-6267
More information
Details
Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django open redirect and possible XSS attack via user-supplied numeric redirect URLs
CVE-2017-7233 / GHSA-37hp-765x-j95x
More information
Details
Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely
django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies onis_safe_url()to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django DNS Rebinding Vulnerability
CVE-2016-9014 / GHSA-3f2c-jm6v-cr35
More information
Details
Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django denial-of-service possibility in urlize and urlizetrunc template filters
CVE-2018-7536 / GHSA-r28v-mw67-m5p9
More information
Details
An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The
django.utils.html.urlize()function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). Theurlize()function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django allows enumeration of user e-mail addresses
CVE-2024-45231 / GHSA-rrqc-c2jx-6jgv
More information
Details
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django Improper Output Neutralization for Logs vulnerability
CVE-2025-48432 / GHSA-7xr5-9hcq-chf9
More information
Details
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django is subject to SQL injection through its column aliases
CVE-2025-57833 / GHSA-6w2r-r2m5-xq5w
More information
Details
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
CVE-2025-64459 / GHSA-frmv-pr5f-9mcr
More information
Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
The methods
QuerySet.filter(),QuerySet.exclude(), andQuerySet.get(), and the classQ(), are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the_connectorargument.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank cyberstan for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
CVE-2025-64458 / GHSA-qw25-v68c-qjf3
More information
Details
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.
NFKC normalization in Python is slow on Windows. As a consequence,
django.http.HttpResponseRedirect,django.http.HttpResponsePermanentRedirect, and the shortcutdjango.shortcuts.redirectwere subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
django/django (django)
v4.2.26Compare Source
v4.2.25Compare Source
v4.2.24Compare Source
v4.2.23Compare Source
v4.2.22Compare Source
v4.2.21Compare Source
v4.2.20Compare Source
v4.2.19Compare Source
v4.2.18Compare Source
v4.2.17Compare Source
v4.2.16Compare Source
v4.2.15Compare Source
v4.2.14Compare Source
v4.2.13Compare Source
v4.2.12Compare Source
v4.2.11Compare Source
v4.2.10Compare Source
v4.2.9Compare Source
v4.2.8Compare Source
v4.2.7Compare Source
v4.2.6Compare Source
v4.2.5Compare Source
v4.2.4Compare Source
v4.2.3Compare Source
v4.2.2Compare Source
v4.2.1Compare Source
v4.2Compare Source
v4.1.13Compare Source
v4.1.12Compare Source
v4.1.11Compare Source
v4.1.10Compare Source
v4.1.9Compare Source
v4.1.8Compare Source
v4.1.7Compare Source
v4.1.6Compare Source
v4.1.5Compare Source
v4.1.4Compare Source
v4.1.3Compare Source
v4.1.2Compare Source
v4.1.1Compare Source
v4.1Compare Source
v4.0.10[Compare Source](https://redirect.github.com/d
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.