nadgowdas / gitsecure-test Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Checks powered by Hadolint
Haolint is a smarter Dockerfile linter that helps you build best practice Docker images.
Control ID | Section | Description |
---|---|---|
SA-11 (1) | System and Services Acquisition | Developer Security Testing and Evaluation - Static Code Analysis |
Line # | ID | Description |
---|---|---|
2 | DL3008 | Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version> |
2 | DL3009 | Delete the apt-get lists after installing something |
2 | DL3015 | Avoid additional packages by specifying --no-install-recommends |
Control ID | Section | Description |
---|---|---|
CM-6 | Configuration Management | Configuration Settings |
CA-2 | Security Assessment and Authorization | Security Assessments |
Dockerfile: redis.yaml
ID | Rule | Compliant? |
---|---|---|
5.7 | Ensure privileged ports are not mapped within containers | ✔️ |
5.10 | Ensure memory usage for container is limited | ❌ |
5.26 | Ensure container health is checked at runtime | ? |
5.1 | Ensure AppArmor Profile is Enabled | ? |
5.2 | Ensure SELinux security options are set, if applicable | ? |
5.6 | Ensure ssh is not run within containers | ? |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | ✔️ |
5.11 | Ensure CPU priority is set appropriately on the container | ✔️ |
5.16 | Ensure the host's IPC namespace is not shared | ✔️ |
5.17 | Ensure host devices are not directly exposed to containers | ? |
5.4 | Ensure privileged containers are not used | ✔️ |
5.8 | Ensure only needed ports are open on the container | ? |
5.24 | Ensure cgroup usage is confirmed | ? |
5.31 | Ensure the Docker socket is not mounted inside any containers | ✔️ |
5.9 | Ensure the host's network namespace is not shared | ✔️ |
5.22 | Ensure docker exec commands are not used with privileged option | ? |
5.25 | Ensure the container is restricted from acquiring additional privileges | ? |
5.28 | Ensure PIDs cgroup limit is used | ? |
5.19 | Ensure mount propagation mode is not set to shared | ? |
5.20 | Ensure the host's UTS namespace is not shared | ? |
5.23 | Ensure docker exec commands are not used with user option | ? |
5.27 | Ensure docker commands always get the latest version of the image | ? |
5.13 | Ensure incoming container traffic is binded to a specific host interface | ? |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | ? |
5.15 | Ensure the host's process namespace is not shared | ✔️ |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | ? |
5.29 | Ensure Docker's default bridge docker0 is not used | ? |
5.30 | Ensure the host's user namespaces is not shared | ? |
5.5 | Ensure sensitive host system directories are not mounted on containers | ✔️ |
5.12 | Ensure the container's root filesystem is mounted as read only | ? |
5.21 | Ensure the default seccomp profile is not Disabled | ? |
Control ID | Section | Description |
---|---|---|
RA-5 | Risk Assessment | Vulnerability Scanning |
CA-7 | Security Assessment and Authorization | Continuous Monitoring |
SA-12 | System and Services Acquisition | Supply Chain Protection |
SI-2 | System and Information Integrity | Flaw Remediation |
CM-4 | Configuration Management | Security Impact Analysis |
CA-2 | Security Assessment and Authorization | Security Assessments |
✅ OS Packages Safe
❌ Pip Packages Safe
✅ Node Packages Safe
Recommended update : 0.12.6
CVE : CVE-2019-19588
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19588
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
CVE : GHSA-5qcg-w2cc-xffw
Severity : HIGH
Link :
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
Recommended update : 0.9.0
CVE : CVE-2020-5227
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2020-5227
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
CVE : GHSA-g8q7-xv52-hf9f
Severity : HIGH
Link : GHSA-g8q7-xv52-hf9f
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
Recommended update : 1.7.0
CVE : CVE-2017-18361
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2017-18361
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
CVE : GHSA-rv95-4wxj-6fqq
Severity : LOW
Link :
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
Recommended update :
CVE : CVE-2010-3082
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-3082
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : GHSA-fxpg-gg9g-76gj
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : CVE-2011-4136
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : GHSA-x88j-93vc-wpmp
Severity : MODERATE
Link :
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : CVE-2011-0698
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0698
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : GHSA-7g9h-c88w-r7h2
Severity : HIGH
Link :
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : CVE-2010-4535
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4535
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : GHSA-7wph-fc4w-wqp2
Severity : MODERATE
Link :
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : CVE-2010-4534
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4534
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : GHSA-fwr5-q9rx-294f
Severity : MODERATE
Link :
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : CVE-2011-4137
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : GHSA-3jqw-crqj-w8qw
Severity : MODERATE
Link :
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : CVE-2011-4140
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4140
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : GHSA-h95j-h2rv-qrg4
Severity : MODERATE
Link :
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : CVE-2011-0696
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0696
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : GHSA-5j2h-h5hg-3wf8
Severity : MODERATE
Link :
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : CVE-2011-0697
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0697
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : GHSA-8m3r-rv5g-fcpq
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : CVE-2019-3498
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-3498
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : GHSA-337x-4q8g-prc5
Severity : LOW
Link :
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : CVE-2019-6975
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-6975
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : GHSA-wh4h-v3f2-r2pp
Severity : MODERATE
Link :
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : CVE-2015-5143
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : GHSA-h582-2pch-3xv3
Severity : HIGH
Link :
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : CVE-2019-19844
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19844
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE : GHSA-vfq6-hq5r-27r6
Severity : MODERATE
Link :
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
PR Created at: #85
Control ID | Section | Description |
---|---|---|
CM-8 | Configuration Management | Information System Component Inventory |
Download Bill of Material Report: [JSON Format]
Control ID | Section | Description |
---|---|---|
RA-5 | Risk Assessment | Vulnerability Scanning |
CA-7 | Security Assessment and Authorization | Continuous Monitoring |
SA-12 | System and Services Acquisition | Supply Chain Protection |
SI-2 | System and Information Integrity | Flaw Remediation |
CM-4 | Configuration Management | Security Impact Analysis |
CA-2 | Security Assessment and Authorization | Security Assessments |
✅ OS Packages Safe
❌ Pip Packages Safe
✅ Node Packages Safe
Recommended update : 0.12.6
CVE : CVE-2019-19588
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19588
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
CVE : GHSA-5qcg-w2cc-xffw
Severity : HIGH
Link :
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
Recommended update : 0.9.0
CVE : CVE-2020-5227
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2020-5227
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
CVE : GHSA-g8q7-xv52-hf9f
Severity : HIGH
Link : GHSA-g8q7-xv52-hf9f
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
Recommended update : 1.7.0
CVE : CVE-2017-18361
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2017-18361
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
CVE : GHSA-rv95-4wxj-6fqq
Severity : LOW
Link :
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
Recommended update :
CVE : CVE-2010-3082
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-3082
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : GHSA-fxpg-gg9g-76gj
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : CVE-2011-4136
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : GHSA-x88j-93vc-wpmp
Severity : MODERATE
Link :
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : CVE-2011-0698
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0698
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : GHSA-7g9h-c88w-r7h2
Severity : HIGH
Link :
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : CVE-2010-4535
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4535
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : GHSA-7wph-fc4w-wqp2
Severity : MODERATE
Link :
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : CVE-2010-4534
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4534
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : GHSA-fwr5-q9rx-294f
Severity : MODERATE
Link :
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : CVE-2011-4137
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : GHSA-3jqw-crqj-w8qw
Severity : MODERATE
Link :
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : CVE-2011-4140
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4140
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : GHSA-h95j-h2rv-qrg4
Severity : MODERATE
Link :
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : CVE-2011-0696
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0696
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : GHSA-5j2h-h5hg-3wf8
Severity : MODERATE
Link :
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : CVE-2011-0697
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0697
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : GHSA-8m3r-rv5g-fcpq
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : CVE-2019-3498
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-3498
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : GHSA-337x-4q8g-prc5
Severity : LOW
Link :
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : CVE-2019-6975
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-6975
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : GHSA-wh4h-v3f2-r2pp
Severity : MODERATE
Link :
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : CVE-2015-5143
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : GHSA-h582-2pch-3xv3
Severity : HIGH
Link :
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : CVE-2019-19844
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19844
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE : GHSA-vfq6-hq5r-27r6
Severity : MODERATE
Link :
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
PR Created at: #77
Checks powered by Hadolint
Haolint is a smarter Dockerfile linter that helps you build best practice Docker images.
Control ID | Section | Description |
---|---|---|
SA-11 (1) | System and Services Acquisition | Developer Security Testing and Evaluation - Static Code Analysis |
Line # | ID | Description |
---|---|---|
2 | DL3008 | Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version> |
2 | DL3009 | Delete the apt-get lists after installing something |
2 | DL3015 | Avoid additional packages by specifying --no-install-recommends |
Checks powered by Hadolint
Haolint is a smarter Dockerfile linter that helps you build best practice Docker images.
Control ID | Section | Description |
---|---|---|
SA-11 (1) | System and Services Acquisition | Developer Security Testing and Evaluation - Static Code Analysis |
Line # | ID | Description |
---|---|---|
2 | DL3008 | Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version> |
2 | DL3009 | Delete the apt-get lists after installing something |
2 | DL3015 | Avoid additional packages by specifying --no-install-recommends |
Control ID | Section | Description |
---|---|---|
RA-5 | Risk Assessment | Vulnerability Scanning |
CA-7 | Security Assessment and Authorization | Continuous Monitoring |
SA-12 | System and Services Acquisition | Supply Chain Protection |
SI-2 | System and Information Integrity | Flaw Remediation |
CM-4 | Configuration Management | Security Impact Analysis |
CA-2 | Security Assessment and Authorization | Security Assessments |
✅ OS Packages Safe
❌ Pip Packages Safe
✅ Node Packages Safe
Recommended update : 0.12.6
CVE : CVE-2019-19588
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19588
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
CVE : GHSA-5qcg-w2cc-xffw
Severity : HIGH
Link :
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
Recommended update : 0.9.0
CVE : CVE-2020-5227
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2020-5227
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
CVE : GHSA-g8q7-xv52-hf9f
Severity : HIGH
Link : GHSA-g8q7-xv52-hf9f
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
Recommended update : 1.7.0
CVE : CVE-2017-18361
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2017-18361
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
CVE : GHSA-rv95-4wxj-6fqq
Severity : LOW
Link :
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
Recommended update :
CVE : CVE-2010-3082
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-3082
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : GHSA-fxpg-gg9g-76gj
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : CVE-2011-4136
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : GHSA-x88j-93vc-wpmp
Severity : MODERATE
Link :
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : CVE-2011-0698
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0698
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : GHSA-7g9h-c88w-r7h2
Severity : HIGH
Link :
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : CVE-2010-4535
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4535
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : GHSA-7wph-fc4w-wqp2
Severity : MODERATE
Link :
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : CVE-2010-4534
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4534
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : GHSA-fwr5-q9rx-294f
Severity : MODERATE
Link :
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : CVE-2011-4137
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : GHSA-3jqw-crqj-w8qw
Severity : MODERATE
Link :
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : CVE-2011-4140
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4140
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : GHSA-h95j-h2rv-qrg4
Severity : MODERATE
Link :
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : CVE-2011-0696
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0696
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : GHSA-5j2h-h5hg-3wf8
Severity : MODERATE
Link :
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : CVE-2011-0697
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0697
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : GHSA-8m3r-rv5g-fcpq
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : CVE-2019-3498
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-3498
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : GHSA-337x-4q8g-prc5
Severity : LOW
Link :
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : CVE-2019-6975
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-6975
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : GHSA-wh4h-v3f2-r2pp
Severity : MODERATE
Link :
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : CVE-2015-5143
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : GHSA-h582-2pch-3xv3
Severity : HIGH
Link :
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : CVE-2019-19844
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19844
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE : GHSA-vfq6-hq5r-27r6
Severity : MODERATE
Link :
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
PR Created at: #81
Control ID | Section | Description |
---|---|---|
CM-6 | Configuration Management | Configuration Settings |
CA-2 | Security Assessment and Authorization | Security Assessments |
Dockerfile: redis.yaml
ID | Rule | Compliant? |
---|---|---|
5.12 | Ensure the container's root filesystem is mounted as read only | ? |
5.13 | Ensure incoming container traffic is binded to a specific host interface | ? |
5.15 | Ensure the host's process namespace is not shared | ✔️ |
5.31 | Ensure the Docker socket is not mounted inside any containers | ✔️ |
5.1 | Ensure AppArmor Profile is Enabled | ? |
5.3 | Ensure Linux Kernel Capabilities are restricted within containers | ✔️ |
5.8 | Ensure only needed ports are open on the container | ? |
5.25 | Ensure the container is restricted from acquiring additional privileges | ? |
5.7 | Ensure privileged ports are not mapped within containers | ✔️ |
5.9 | Ensure the host's network namespace is not shared | ✔️ |
5.18 | Ensure the default ulimit is overwritten at runtime, only if needed | ? |
5.24 | Ensure cgroup usage is confirmed | ? |
5.2 | Ensure SELinux security options are set, if applicable | ? |
5.6 | Ensure ssh is not run within containers | ? |
5.20 | Ensure the host's UTS namespace is not shared | ? |
5.23 | Ensure docker exec commands are not used with user option | ? |
5.26 | Ensure container health is checked at runtime | ? |
5.29 | Ensure Docker's default bridge docker0 is not used | ? |
5.11 | Ensure CPU priority is set appropriately on the container | ✔️ |
5.5 | Ensure sensitive host system directories are not mounted on containers | ✔️ |
5.30 | Ensure the host's user namespaces is not shared | ? |
5.10 | Ensure memory usage for container is limited | ❌ |
5.19 | Ensure mount propagation mode is not set to shared | ? |
5.21 | Ensure the default seccomp profile is not Disabled | ? |
5.28 | Ensure PIDs cgroup limit is used | ? |
5.4 | Ensure privileged containers are not used | ✔️ |
5.14 | Ensure 'on-failure' container restart policy is set to '5' | ? |
5.16 | Ensure the host's IPC namespace is not shared | ✔️ |
5.17 | Ensure host devices are not directly exposed to containers | ? |
5.22 | Ensure docker exec commands are not used with privileged option | ? |
5.27 | Ensure docker commands always get the latest version of the image | ? |
Control ID | Section | Description |
---|---|---|
RA-5 | Risk Assessment | Vulnerability Scanning |
CA-7 | Security Assessment and Authorization | Continuous Monitoring |
SA-12 | System and Services Acquisition | Supply Chain Protection |
SI-2 | System and Information Integrity | Flaw Remediation |
CM-4 | Configuration Management | Security Impact Analysis |
CA-2 | Security Assessment and Authorization | Security Assessments |
✅ OS Packages Safe
❌ Pip Packages Safe
✅ Node Packages Safe
Recommended update : 0.12.6
CVE : CVE-2019-19588
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19588
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
CVE : GHSA-5qcg-w2cc-xffw
Severity : HIGH
Link :
Description : The validators package 0.12.2 through 0.12.5 for Python enters an infinite loop when validators.domain is called with a crafted domain string. This is fixed in 0.12.6.
Recommended update : 0.9.0
CVE : CVE-2020-5227
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2020-5227
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
CVE : GHSA-g8q7-xv52-hf9f
Severity : HIGH
Link : GHSA-g8q7-xv52-hf9f
Description : ### Impact
The feedgen library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial of Service Attacks (e.g. XML Bomb).
This becomes a concern in particular if feedgen is used to include content from untrused sources and if XML (including XHTML) is directly included instead of providing plain tex content only.
This problem has been fixed in feedgen 0.9.0 which disallows XML entity expansion and external resources.
Updating is strongly recommended and should not be problematic. Nevertheless, as a workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.
If you have any questions or comments about this advisory:
Recommended update : 1.7.0
CVE : CVE-2017-18361
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2017-18361
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
CVE : GHSA-rv95-4wxj-6fqq
Severity : LOW
Link :
Description : In Pylons Colander through 1.6, the URL validator allows an attacker to potentially cause an infinite loop thereby causing a denial of service via an unclosed parenthesis.
Recommended update :
CVE : CVE-2010-3082
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-3082
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : GHSA-fxpg-gg9g-76gj
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.
CVE : CVE-2011-4136
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4136
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : GHSA-x88j-93vc-wpmp
Severity : MODERATE
Link :
Description : django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
CVE : CVE-2011-0698
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0698
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : GHSA-7g9h-c88w-r7h2
Severity : HIGH
Link :
Description : Directory traversal vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 on Windows might allow remote attackers to read or execute files via a / (slash) character in a key in a session cookie, related to session replays.
CVE : CVE-2010-4535
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4535
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : GHSA-7wph-fc4w-wqp2
Severity : MODERATE
Link :
Description : The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
CVE : CVE-2010-4534
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2010-4534
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : GHSA-fwr5-q9rx-294f
Severity : MODERATE
Link :
Description : The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
CVE : CVE-2011-4137
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4137
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : GHSA-3jqw-crqj-w8qw
Severity : MODERATE
Link :
Description : The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
CVE : CVE-2011-4140
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-4140
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : GHSA-h95j-h2rv-qrg4
Severity : MODERATE
Link :
Description : The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.
CVE : CVE-2011-0696
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0696
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : GHSA-5j2h-h5hg-3wf8
Severity : MODERATE
Link :
Description : Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged AJAX requests that leverage a "combination of browser plugins and redirects," a related issue to CVE-2011-0447.
CVE : CVE-2011-0697
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2011-0697
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : GHSA-8m3r-rv5g-fcpq
Severity : MODERATE
Link :
Description : Cross-site scripting (XSS) vulnerability in Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 might allow remote attackers to inject arbitrary web script or HTML via a filename associated with a file upload.
CVE : CVE-2019-3498
Severity : LOW
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-3498
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : GHSA-337x-4q8g-prc5
Severity : LOW
Link :
Description : In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
CVE : CVE-2019-6975
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-6975
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : GHSA-wh4h-v3f2-r2pp
Severity : MODERATE
Link :
Description : Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.
CVE : CVE-2015-5143
Severity : HIGH
Link : https://nvd.nist.gov/vuln/detail/CVE-2015-5143
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : GHSA-h582-2pch-3xv3
Severity : HIGH
Link :
Description : The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.
CVE : CVE-2019-19844
Severity : MODERATE
Link : https://nvd.nist.gov/vuln/detail/CVE-2019-19844
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVE : GHSA-vfq6-hq5r-27r6
Severity : MODERATE
Link :
Description : Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
PR Created at: #75
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.