Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.1 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.1 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.1 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.1 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.1 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.1 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.1 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.1 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.1 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.1 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
requests | 2.28.1 | >=2.3.0,<2.31.0 |
show Requests 2.31.0 includes a fix for CVE-2023-32681: Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use 'rebuild_proxies' to reattach the 'Proxy-Authorization' header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the 'Proxy-Authorization' header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. |
https://pyup.io/repos/github/just-work/django-video-transcoding/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/just-work/django-video-transcoding/python-3-shield.svg)](https://pyup.io/repos/github/just-work/django-video-transcoding/)
.. image:: https://pyup.io/repos/github/just-work/django-video-transcoding/python-3-shield.svg :target: https://pyup.io/repos/github/just-work/django-video-transcoding/ :alt: Python 3
<a href="https://pyup.io/repos/github/just-work/django-video-transcoding/"><img src="https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/just-work/django-video-transcoding/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/just-work/django-video-transcoding/
{<img src="https://pyup.io/repos/github/just-work/django-video-transcoding/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/just-work/django-video-transcoding/]
https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg
[![Updates](https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg)](https://pyup.io/repos/github/just-work/django-video-transcoding/)
.. image:: https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg :target: https://pyup.io/repos/github/just-work/django-video-transcoding/ :alt: Updates
<a href="https://pyup.io/repos/github/just-work/django-video-transcoding/"><img src="https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg(Updates)!:https://pyup.io/repos/github/just-work/django-video-transcoding/
{<img src="https://pyup.io/repos/github/just-work/django-video-transcoding/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/just-work/django-video-transcoding/]