{"affected":[{"ecosystem_specific":{"binaries":[{"python3-Django":"2.2.28-bp153.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP3","name":"python-Django","purl":"pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.28-bp153.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"python3-Django":"2.2.28-bp153.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"python-Django","purl":"pkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.2.28-bp153.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for python-Django fixes the following issues:\n\n- CVE-2022-41323: Fixed potential denial-of-service vulnerability in internationalized URLs (boo#1203793)\n- CVE-2022-36359: Fixed a potential reflected file download vulnerability in FileResponse (boo#1201923)\n\n- Update from 2.2.12 to 2.2.28 (boo#1198297)\n\n  * Many CVEs fixes (check https://github.com/django/django/blob/main/docs/releases/)\n\n  2.2.28:\n\n  - CVE-2022-28346: Fixed potential SQL injection in QuerySet.annotate(), aggregate(), and extra() (bsc#1198398)\n  - CVE-2022-28347: Fixed potential SQL injection via QuerySet.explain(**options) (bsc#1198399)\n\n  2.2.27:\n\n  - CVE-2022-22818: Fixed possible XSS via ``{% debug %}`` template tag (bsc#1195086)\n  - CVE-2022-23833: Fixed denial-of-service possibility in file uploads (bsc#1195088)\n\n  2.2.26: \n\n  - CVE-2021-45115: Denial-of-service possibility in ``UserAttributeSimilarityValidator`` (bsc#1194115)\n  - CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter (bsc#1194117)\n  - CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` (bsc#)\n\n  2.2.25:\n\n  - CVE-2021-44420: Potential bypass of an upstream access control based on URL paths (bsc#1193240)\n\n  2.2.24:\n\n  - CVE-2021-33203: Potential directory traversal via ``admindocs``\n  - CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses\n\n  2.2.23:\n\n  - regression fix\n\n  2.2.22:\n\n  - CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+\n\n","id":"openSUSE-SU-2023:0005-1","modified":"2023-01-03T11:02:47Z","published":"2023-01-03T11:02:47Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UHF5IZKTZ2T4T4QQYZMUFHW422X3WCU6/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185713"},{"type":"REPORT","url":"https://bugzilla.suse.com/1186608"},{"type":"REPORT","url":"https://bugzilla.suse.com/1186611"},{"type":"REPORT","url":"https://bugzilla.suse.com/1193240"},{"type":"REPORT","url":"https://bugzilla.suse.com/1194115"},{"type":"REPORT","url":"https://bugzilla.suse.com/1194116"},{"type":"REPORT","url":"https://bugzilla.suse.com/1194117"},{"type":"REPORT","url":"https://bugzilla.suse.com/1195086"},{"type":"REPORT","url":"https://bugzilla.suse.com/1195088"},{"type":"REPORT","url":"https://bugzilla.suse.com/1198297"},{"type":"REPORT","url":"https://bugzilla.suse.com/1198398"},{"type":"REPORT","url":"https://bugzilla.suse.com/1198399"},{"type":"REPORT","url":"https://bugzilla.suse.com/1201923"},{"type":"REPORT","url":"https://bugzilla.suse.com/1203793"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-32052"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-33203"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-33571"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-44420"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-45115"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-45116"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-45452"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-22818"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-23833"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-28346"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-28347"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-36359"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-41323"}],"related":["CVE-2021-32052","CVE-2021-33203","CVE-2021-33571","CVE-2021-44420","CVE-2021-45115","CVE-2021-45116","CVE-2021-45452","CVE-2022-22818","CVE-2022-23833","CVE-2022-28346","CVE-2022-28347","CVE-2022-36359","CVE-2022-41323"],"summary":"Security update for python-Django","upstream":["CVE-2021-32052","CVE-2021-33203","CVE-2021-33571","CVE-2021-44420","CVE-2021-45115","CVE-2021-45116","CVE-2021-45452","CVE-2022-22818","CVE-2022-23833","CVE-2022-28346","CVE-2022-28347","CVE-2022-36359","CVE-2022-41323"]}