Package | Installed | Affected | Info |
---|---|---|---|
Django | 4.0.3 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 4.0.3 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 4.0.3 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 4.0.3 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 4.0.3 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 4.0.3 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 4.0.3 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 4.0.3 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories. |
Django | 4.0.3 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 4.0.3 | <3.2.15 , >=4.0a1,<4.0.7 |
show Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. https://www.djangoproject.com/weblog/2022/aug/03/security-releases |
Django | 4.0.3 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 4.0.3 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access. |
Django | 4.0.3 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django has a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. The urlize and urlizetrunc functions, along with AdminURLFieldWidget, are vulnerable to denial-of-service attacks when handling inputs with a very large number of Unicode characters. |
Django | 4.0.3 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django addresses a memory exhaustion issue in django.utils.numberformat.floatformat(). When floatformat receives a string representation of a number in scientific notation with a large exponent, it could lead to excessive memory consumption. To prevent this, decimals with more than 200 digits are now returned as-is. |
Django | 4.0.3 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are potentially vulnerable to denial-of-service via the get_supported_language_variant() method. This method was susceptible to a denial-of-service attack when used with very long strings containing specific characters. Exploiting this vulnerability could cause significant delays or crashes in the affected application, potentially leading to service disruption. |
Django | 4.0.3 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. To mitigate this risk, Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses. |
Django | 4.0.3 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A potential denial-of-service vulnerability has been identified in Django's urlize() and urlizetrunc() functions in django.utils.html. This vulnerability can be triggered by inputting huge strings containing a specific sequence of characters. |
Django | 4.0.3 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a potential denial-of-service vulnerability in the django.utils.html.urlize() function. The urlize and urlizetrunc template filters were susceptible to a denial-of-service attack via certain inputs containing many brackets. An attacker could exploit this vulnerability to cause significant delays or crashes in the affected application. |
Django | 4.0.3 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 4.0.3 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 4.0.3 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 4.0.3 | <3.2.14 , >=4.0a1,<4.0.6 |
show Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. https://www.djangoproject.com/weblog/2022/jul/04/security-releases |
Django | 4.0.3 | <4.2.15 , >=5.0a1,<5.0.8 |
show Affected versions of Django has a potential SQL injection vulnerability in the QuerySet.values() and QuerySet.values_list() methods. When used on models with a JSONField, these methods are susceptible to SQL injection through column aliases if a crafted JSON object key is passed as an argument. |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 3.2.8 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 3.2.8 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. https://www.djangoproject.com/weblog/2022/jan/04/security-releases |
Django | 3.2.8 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 3.2.8 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 3.2.8 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 3.2.8 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 3.2.8 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 3.2.8 | <2.2.27 , >=3.0a1,<3.2.12 , >=4.0a1,<4.0.2 |
show The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories. |
Django | 3.2.8 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 3.2.8 | <3.2.15 , >=4.0a1,<4.0.7 |
show Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. https://www.djangoproject.com/weblog/2022/aug/03/security-releases |
Django | 3.2.8 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access. |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django has a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. The urlize and urlizetrunc functions, along with AdminURLFieldWidget, are vulnerable to denial-of-service attacks when handling inputs with a very large number of Unicode characters. |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django addresses a memory exhaustion issue in django.utils.numberformat.floatformat(). When floatformat receives a string representation of a number in scientific notation with a large exponent, it could lead to excessive memory consumption. To prevent this, decimals with more than 200 digits are now returned as-is. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are potentially vulnerable to denial-of-service via the get_supported_language_variant() method. This method was susceptible to a denial-of-service attack when used with very long strings containing specific characters. Exploiting this vulnerability could cause significant delays or crashes in the affected application, potentially leading to service disruption. |
Django | 3.2.8 | <2.2.25 , >=3.2a1,<3.2.10 , >=3.1a1,<3.1.14 |
show Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. https://www.djangoproject.com/weblog/2021/dec/07/security-releases/ |
Django | 3.2.8 | <2.2.27 , >=3.0a1,<3.2.12 , >=4.0a1,<4.0.2 |
show Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads. https://www.djangoproject.com/weblog/2022/feb/01/security-releases |
Django | 3.2.8 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. To mitigate this risk, Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses. |
Django | 3.2.8 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A potential denial-of-service vulnerability has been identified in Django's urlize() and urlizetrunc() functions in django.utils.html. This vulnerability can be triggered by inputting huge strings containing a specific sequence of characters. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a potential denial-of-service vulnerability in the django.utils.html.urlize() function. The urlize and urlizetrunc template filters were susceptible to a denial-of-service attack via certain inputs containing many brackets. An attacker could exploit this vulnerability to cause significant delays or crashes in the affected application. |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ |
Django | 3.2.8 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 3.2.8 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 3.2.8 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 3.2.8 | <3.2.14 , >=4.0a1,<4.0.6 |
show Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. https://www.djangoproject.com/weblog/2022/jul/04/security-releases |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Affected versions of Django has a potential SQL injection vulnerability in the QuerySet.values() and QuerySet.values_list() methods. When used on models with a JSONField, these methods are susceptible to SQL injection through column aliases if a crafted JSON object key is passed as an argument. |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.4.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.4.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.4.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.4.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
ipython | 7.28.0 | >=8.0.0a0,<8.0.1 , >=7.17.0,<7.31.1 , >=6.0.0a0,<7.16.3 , <5.11 |
show Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x |
ipython | 7.28.0 | <8.10.0 |
show IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input. https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7 |
Package | Installed | Affected | Info |
---|---|---|---|
Django | 3.2.8 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 3.2.8 | <3.2.25 , >=4.0a1,<4.2.11 , >=5.0a1,<5.0.3 |
show Affected versions of Django are vulnerable to potential regular expression denial-of-service (REDoS). django.utils.text.Truncator.words() method (with html=True) and truncatewords_html template filter were subject to a potential regular expression denial-of-service attack using a suitably crafted string (follow up to CVE-2019-14232 and CVE-2023-43665). |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. https://www.djangoproject.com/weblog/2022/jan/04/security-releases |
Django | 3.2.8 | >=4.0a1,<4.1.10 , >=4.2a1,<4.2.3 , <3.2.20 |
show Affected versions of Django are vulnerable to a potential ReDoS (regular expression denial of service) in EmailValidator and URLValidator via a very large number of domain name labels of emails and URLs. |
Django | 3.2.8 | <3.2.19 , >=4.0a1,<4.1.9 , >=4.2a1,<4.2.1 |
show Django 4.2.1, 4.1.9 and 3.2.19 include a fix for CVE-2023-31047: In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. https://www.djangoproject.com/weblog/2023/may/03/security-releases |
Django | 3.2.8 | <3.2.22 , >=4.0a1,<4.1.12 , >=4.2a1,<4.2.6 |
show Affected versions of Django are vulnerable to Denial-of-Service via django.utils.text.Truncator. The django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. |
Django | 3.2.8 | <2.2.28 , >=3.0a1,<3.2.13 , >=4.0a1,<4.0.4 |
show Django 2.2.28, 3.2.13 and 4.0.4 include a fix for CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. https://www.djangoproject.com/weblog/2022/apr/11/security-releases |
Django | 3.2.8 | <3.2.17 , >=4.0a1,<4.0.9 , >=4.1a1,<4.1.6 |
show Django 3.2.17, 4.0.9 and 4.1.6 includes a fix for CVE-2023-23969: In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. https://www.djangoproject.com/weblog/2023/feb/01/security-releases |
Django | 3.2.8 | <2.2.27 , >=3.0a1,<3.2.12 , >=4.0a1,<4.0.2 |
show The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a directory-traversal vulnerability in the Storage.save() method. Derived classes of the django.core.files.storage.Storage base class that overrides the generate_filename() method without replicating the file path validations existing in the parent class could allow for directory traversal via certain inputs when calling save(). This could enable an attacker to manipulate file paths and access unintended directories. |
Django | 3.2.8 | <3.2.18 , >=4.0a1,<4.0.10 , >=4.1a1,<4.1.7 |
show Django 4.1.7, 4.0.10 and 3.2.18 include a fix for CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. https://www.djangoproject.com/weblog/2023/feb/14/security-releases |
Django | 3.2.8 | <3.2.15 , >=4.0a1,<4.0.7 |
show Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. https://www.djangoproject.com/weblog/2022/aug/03/security-releases |
Django | 3.2.8 | <3.2.21 , >=4.0a1,<4.1.11 , >=4.2a1,<4.2.5 |
show Affected versions of Django are vulnerable to potential Denial of Service via certain inputs with a very large number of Unicode characters in django.utils.encoding.uri_to_iri(). |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a username enumeration vulnerability caused by timing differences in the django.contrib.auth.backends.ModelBackend.authenticate() method. This method allowed remote attackers to enumerate users through a timing attack involving login requests for users with unusable passwords. The timing difference in the authentication process exposed whether a username was valid or not, potentially aiding attackers in gaining unauthorized access. |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django has a potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget. The urlize and urlizetrunc functions, along with AdminURLFieldWidget, are vulnerable to denial-of-service attacks when handling inputs with a very large number of Unicode characters. |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Django addresses a memory exhaustion issue in django.utils.numberformat.floatformat(). When floatformat receives a string representation of a number in scientific notation with a large exponent, it could lead to excessive memory consumption. To prevent this, decimals with more than 200 digits are now returned as-is. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are potentially vulnerable to denial-of-service via the get_supported_language_variant() method. This method was susceptible to a denial-of-service attack when used with very long strings containing specific characters. Exploiting this vulnerability could cause significant delays or crashes in the affected application, potentially leading to service disruption. |
Django | 3.2.8 | <2.2.25 , >=3.2a1,<3.2.10 , >=3.1a1,<3.1.14 |
show Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. https://www.djangoproject.com/weblog/2021/dec/07/security-releases/ |
Django | 3.2.8 | <2.2.27 , >=3.0a1,<3.2.12 , >=4.0a1,<4.0.2 |
show Django 2.2.27, 3.2.12 and 4.0.2 include a fix for CVE-2022-23833: Denial-of-service possibility in file uploads. https://www.djangoproject.com/weblog/2022/feb/01/security-releases |
Django | 3.2.8 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A security vulnerability has been discovered in certain versions of Django, affecting the password reset functionality. The PasswordResetForm class in django.contrib.auth.forms inadvertently allowed attackers to enumerate user email addresses by exploiting unhandled exceptions during the email sending process. This could be done by issuing password reset requests and observing the responses. To mitigate this risk, Django has implemented a fix where these exceptions are now caught and logged using the django.contrib.auth logger, preventing potential information leakage through error responses. |
Django | 3.2.8 | <4.2.16 , >=5.0a1,<5.0.9 , >=5.1a1,<5.1.1 |
show A potential denial-of-service vulnerability has been identified in Django's urlize() and urlizetrunc() functions in django.utils.html. This vulnerability can be triggered by inputting huge strings containing a specific sequence of characters. |
Django | 3.2.8 | <4.2.14 , >=5.0a1,<5.0.7 |
show Affected versions of Django are affected by a potential denial-of-service vulnerability in the django.utils.html.urlize() function. The urlize and urlizetrunc template filters were susceptible to a denial-of-service attack via certain inputs containing many brackets. An attacker could exploit this vulnerability to cause significant delays or crashes in the affected application. |
Django | 3.2.8 | <2.2.26 , >=3.0a1,<3.2.11 , >=4.0a1,<4.0.1 |
show Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ |
Django | 3.2.8 | <3.2.24 , >=4.0a1,<4.2.10 , >=5.0a1,<5.0.2 |
show Affected versions of Django are vulnerable to potential denial-of-service in intcomma template filter when used with very long strings. |
Django | 3.2.8 | <3.2.23 , >=4.0a1,<4.1.13 , >=4.2a1,<4.2.7 |
show Django 4.2.7, 4.1.13 and 3.2.23 include a fix for CVE-2023-46695: Potential denial of service vulnerability in UsernameField on Windows. https://www.djangoproject.com/weblog/2023/nov/01/security-releases |
Django | 3.2.8 | <3.2.16 , >=4.0a1,<4.0.8 , >=4.1a1,<4.1.2 |
show In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. |
Django | 3.2.8 | <3.2.14 , >=4.0a1,<4.0.6 |
show Django 3.2.14 and 4.0.6 include a fix for CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments. https://www.djangoproject.com/weblog/2022/jul/04/security-releases |
Django | 3.2.8 | <4.2.15 , >=5.0a1,<5.0.8 |
show Affected versions of Django has a potential SQL injection vulnerability in the QuerySet.values() and QuerySet.values_list() methods. When used on models with a JSONField, these methods are susceptible to SQL injection through column aliases if a crafted JSON object key is passed as an argument. |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.4.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.4.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.4.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.4.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
Package | Installed | Affected | Info |
---|---|---|---|
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 ensures JpegImagePlugin stops at the end of a truncated file to avoid Denial of Service attacks. https://github.com/python-pillow/Pillow/pull/5921 https://github.com/advisories/GHSA-4fx9-vc88-q2xc |
Pillow | 8.4.0 | <9.0.1 |
show Pillow before 9.0.1 allows attackers to delete files because spaces in temporary pathnames are mishandled. |
Pillow | 8.4.0 | <10.0.0 |
show Pillow 10.0.0 includes a fix for CVE-2023-44271: Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of memory. This occurs for truetype in ImageFont when textlength in an ImageDraw instance operates on a long text argument. https://github.com/python-pillow/Pillow/pull/7244 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 excludes carriage return in PDF regex to help prevent ReDoS. https://github.com/python-pillow/Pillow/pull/5912 https://github.com/python-pillow/Pillow/commit/43b800d933c996226e4d7df00c33fcbe46d97363 |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22816: path_getbbox in path.c in Pillow before 9.0.0 has a buffer over-read during initialization of ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.0.1 |
show Pillow 9.0.1 includes a fix for CVE-2022-22817: PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A first patch was issued for version 9.0.0 but it did not prevent builtins available to lambda expressions. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.1.html#security |
Pillow | 8.4.0 | >=2.5.0,<10.0.1 |
show Pillow 10.0.1 updates its C dependency 'libwebp' to 1.3.2 to include a fix for a high-risk vulnerability. https://pillow.readthedocs.io/en/stable/releasenotes/10.0.1.html |
Pillow | 8.4.0 | <9.0.0 |
show Pillow 9.0.0 includes a fix for CVE-2022-22815: path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. https://pillow.readthedocs.io/en/stable/releasenotes/9.0.0.html#fixed-imagepath-path-array-handling |
Pillow | 8.4.0 | <9.2.0 |
show Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is potentially vulnerable to DoS attacks through PIL.ImageFont.ImageFont.getmask(). A decompression bomb check has also been added to the affected function. |
Pillow | 8.4.0 | <10.2.0 |
show Pillow is affected by an arbitrary code execution vulnerability. If an attacker has control over the keys passed to the environment argument of PIL.ImageMath.eval(), they may be able to execute arbitrary code. https://pillow.readthedocs.io/en/stable/releasenotes/10.2.0.html |
Pillow | 8.4.0 | <10.3.0 |
show Pillow 10.3.0 introduces a security update addressing CVE-2024-28219 by replacing certain functions with strncpy to prevent buffer overflow issues. |
ipython | 7.28.0 | >=8.0.0a0,<8.0.1 , >=7.17.0,<7.31.1 , >=6.0.0a0,<7.16.3 , <5.11 |
show Ipython versions 8.0.1, 7.31.1, 7.16.3 and 5.11 include a fix for CVE-2022-21699: Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x |
ipython | 7.28.0 | <8.10.0 |
show IPython 8.10.0 includes a fix for CVE-2023-24816: Versions prior to 8.10.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function 'IPython.utils.terminal.set_term_title' be called on Windows in a Python environment where ctypes is not available. The dependency on 'ctypes' in 'IPython.utils._process_win32' prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool 'set_term_title' could be called and hence introduce a vulnerability. If an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. As a workaround, users should ensure that any calls to the 'IPython.utils.terminal.set_term_title' function are done with trusted or filtered input. https://github.com/ipython/ipython/security/advisories/GHSA-29gw-9793-fvw7 |
https://pyup.io/repos/github/tiagocordeiro/gomenu/python-3-shield.svg
[![Python 3](https://pyup.io/repos/github/tiagocordeiro/gomenu/python-3-shield.svg)](https://pyup.io/repos/github/tiagocordeiro/gomenu/)
.. image:: https://pyup.io/repos/github/tiagocordeiro/gomenu/python-3-shield.svg :target: https://pyup.io/repos/github/tiagocordeiro/gomenu/ :alt: Python 3
<a href="https://pyup.io/repos/github/tiagocordeiro/gomenu/"><img src="https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg" alt="Python 3" /></a>
!https://pyup.io/repos/github/tiagocordeiro/gomenu/python-3-shield.svg(Python 3)!:https://pyup.io/repos/github/tiagocordeiro/gomenu/
{<img src="https://pyup.io/repos/github/tiagocordeiro/gomenu/python-3-shield.svg" alt="Python 3" />}[https://pyup.io/repos/github/tiagocordeiro/gomenu/]
https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg
[![Updates](https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg)](https://pyup.io/repos/github/tiagocordeiro/gomenu/)
.. image:: https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg :target: https://pyup.io/repos/github/tiagocordeiro/gomenu/ :alt: Updates
<a href="https://pyup.io/repos/github/tiagocordeiro/gomenu/"><img src="https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg" alt="Updates" /></a>
!https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg(Updates)!:https://pyup.io/repos/github/tiagocordeiro/gomenu/
{<img src="https://pyup.io/repos/github/tiagocordeiro/gomenu/shield.svg" alt="Updates" />}[https://pyup.io/repos/github/tiagocordeiro/gomenu/]