Coder Social home page Coder Social logo

nexmo-community / django-2fa-demo Goto Github PK

View Code? Open in Web Editor NEW
1.0 11.0 1.0 331 KB

Combining Django and the Nexmo Verify API to implement two factor authentication

License: MIT License

Python 63.10% HTML 36.90%
django django-2fa python security nexmo tutorial

django-2fa-demo's Introduction

Two Factor Authentication with Django and Nexmo Verify

❗❗❗ This repo is now deprecated. Check the Vonage Developer Blog for more blog posts and tutorials. For more sample Vonage projects, check the Vonage Community GitHub repo.

A demo that implements 2-factor-authentication in Django using the built in auth framework and the Nexmo Verify API.

Django 2FA

Read the tutorial

For a more in-depth walk-through make sure you read the full tutorial on our blog; Add Two factor Authentication to your Django app with Nexmo, or read more about the Nexmo Verify API on our developer site

Basic Login - before branch

The before branch is the starting point of the tutorial and is just a simple Django 1.9.8 app and some Bootstrap to provide a simple app with a login.

Usage

  • Clone this repository
  • Run git checkout before
  • Run pip install -r requirements.txt
  • Run python manage.py migrate
  • Run python manage.py loaddata fixtures/all.json
  • Run python manage.py runserver
  • Visit http://localhost:8000/
  • Login with:
    • username: test
    • password: test1234

Two Factor Authentication - after branch

The after branch is the end point of out tutorial, adding a TwoFactorMixin two our views and verifying a user's identity using their phone number.

The differences between these two branches can be seen here and in our in-dept tutorial

Usage

  • Clone this repository
  • Run git checkout after
  • Run pip install -r requirements.txt
  • Run python manage.py migrate
  • Run python manage.py loaddata fixtures/all.json
  • Copy .env.example to .env and add your Nexmo API key and secret
  • Run python manage.py runserver
  • Visit http://localhost:8000/
  • Login with:
    • username: test
    • password: test1234

License

This sample is released under the MIT License

django-2fa-demo's People

Contributors

aaronbassett avatar cbetta avatar maxkahan avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

full-stack-dev410

django-2fa-demo's Issues

2FA authentication

We already have 2FA on one-login. Just plan to implement another one. Is it any way to configure Djongo or Nexmo on one-login too?
If yes, then is it authnticate with SAML or IDP Fedration?
Do you have documentation how to do it ?

crashes on django 1.11 when trying to log in

The application works fine under django 1.9 but the requirements.txt installs django 1.11 which crashes. suggest modifying requirements.txt to django 1.9 or locating a fix for the problem with django 1.11

nexmo-1.5.0-py3-none-any.whl: 4 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - nexmo-1.5.0-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nexmo version) Remediation Possible**
WS-2022-0365 Critical 9.8 cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl Transitive 2.1.0
CVE-2022-23491 High 7.5 certifi-2022.9.24-py3-none-any.whl Transitive 2.1.0
CVE-2023-0286 High 7.4 cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl Transitive N/A*
CVE-2023-23931 Medium 6.5 cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl Transitive 2.1.0

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2022-0365

Vulnerable Library - cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • nexmo-1.5.0-py3-none-any.whl (Root Library)
    • cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Publish Date: 2022-11-02

URL: WS-2022-0365

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-39hc-v87j-747x

Release Date: 2022-11-02

Fix Resolution (cryptography): 38.0.3

Direct dependency fix Resolution (nexmo): 2.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23491

Vulnerable Library - certifi-2022.9.24-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/1d/38/fa96a426e0c0e68aabc68e896584b83ad1eec779265a028e156ce509630e/certifi-2022.9.24-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • nexmo-1.5.0-py3-none-any.whl (Root Library)
    • requests-2.28.1-py3-none-any.whl
      • certifi-2022.9.24-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

Publish Date: 2022-12-07

URL: CVE-2022-23491

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23491

Release Date: 2022-12-07

Fix Resolution (certifi): 2022.12.7

Direct dependency fix Resolution (nexmo): 2.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-0286

Vulnerable Library - cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • nexmo-1.5.0-py3-none-any.whl (Root Library)
    • cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Publish Date: 2023-02-08

URL: CVE-2023-0286

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4qr-2fvf-3mr5

Release Date: 2023-02-08

Fix Resolution: OpenSSL_1_0_2a--OpenSSL_1_0_2u;OpenSSL_1_1_1a--OpenSSL_1_1_1s;cryptography - 39.0.1

CVE-2023-23931

Vulnerable Library - cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/9b/4e/d7454551c3c7b327510e35d88db35c300484225ba47be861e28f0b520b33/cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • nexmo-1.5.0-py3-none-any.whl (Root Library)
    • cryptography-38.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Publish Date: 2023-02-07

URL: CVE-2023-23931

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931

Release Date: 2023-02-07

Fix Resolution (cryptography): 39.0.1

Direct dependency fix Resolution (nexmo): 2.1.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Django-1.11.3-py2.py3-none-any.whl: 17 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Django version) Remediation Possible**
CVE-2019-19844 Critical 9.8 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.27
CVE-2020-7471 Critical 9.8 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.28
CVE-2019-14234 Critical 9.8 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.23
CVE-2022-34265 Critical 9.8 Django-1.11.3-py2.py3-none-any.whl Direct 3.2.14
CVE-2020-9402 High 8.8 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.29,2.2.11,3.0.4
CVE-2019-14232 High 7.5 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.23,2.1.11,2.2.4
CVE-2019-14235 High 7.5 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.23
CVE-2019-6975 High 7.5 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.20
CVE-2016-7401 High 7.5 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.15
CVE-2021-44420 High 7.3 Django-1.11.3-py2.py3-none-any.whl Direct Django - 2.2.25,3.1.14,3.2.10
CVE-2019-3498 Medium 6.5 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.18
CVE-2019-12308 Medium 6.1 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.21
CVE-2017-12794 Medium 6.1 Django-1.11.3-py2.py3-none-any.whl Direct 1.10.8,1.11.5
CVE-2018-14574 Medium 6.1 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.15
CVE-2019-12781 Medium 5.3 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.22
CVE-2018-7536 Medium 5.3 Django-1.11.3-py2.py3-none-any.whl Direct 2.0.3,1.11.11,1.8.19
CVE-2019-14233 Low 2.8 Django-1.11.3-py2.py3-none-any.whl Direct 1.11.23

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-19844

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Publish Date: 2019-12-18

URL: CVE-2019-19844

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844

Release Date: 2019-12-18

Fix Resolution: 1.11.27

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7471

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Publish Date: 2020-02-03

URL: CVE-2020-7471

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471

Release Date: 2020-06-19

Fix Resolution: 1.11.28

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14234

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Publish Date: 2019-08-09

URL: CVE-2019-14234

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Release Date: 2019-08-09

Fix Resolution: 1.11.23

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-34265

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.

Publish Date: 2022-07-04

URL: CVE-2022-34265

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Release Date: 2022-07-04

Fix Resolution: 3.2.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-9402

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Publish Date: 2020-03-05

URL: CVE-2020-9402

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402

Release Date: 2020-03-05

Fix Resolution: 1.11.29,2.2.11,3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14232

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.

Publish Date: 2019-08-02

URL: CVE-2019-14232

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232

Release Date: 2019-08-02

Fix Resolution: 1.11.23,2.1.11,2.2.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14235

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

Publish Date: 2019-08-02

URL: CVE-2019-14235

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235

Release Date: 2019-08-02

Fix Resolution: 1.11.23

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-6975

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function.

Publish Date: 2019-02-11

URL: CVE-2019-6975

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2019/feb/11/security-releases/

Release Date: 2019-02-11

Fix Resolution: 1.11.20

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-7401

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.

Publish Date: 2016-10-03

URL: CVE-2016-7401

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7401

Release Date: 2016-10-03

Fix Resolution: 1.11.15

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44420

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Publish Date: 2021-12-08

URL: CVE-2021-44420

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.djangoproject.com/en/3.2/releases/security/

Release Date: 2021-12-08

Fix Resolution: Django - 2.2.25,3.1.14,3.2.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-3498

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

Publish Date: 2019-01-09

URL: CVE-2019-3498

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Release Date: 2019-01-09

Fix Resolution: 1.11.18

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-12308

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

Publish Date: 2019-06-03

URL: CVE-2019-12308

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12308

Release Date: 2019-06-03

Fix Resolution: 1.11.21

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-12794

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with "DEBUG = True" (which makes this page accessible) in your production settings.

Publish Date: 2017-09-07

URL: CVE-2017-12794

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-12794

Release Date: 2017-09-07

Fix Resolution: 1.10.8,1.11.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-14574

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

Publish Date: 2018-08-03

URL: CVE-2018-14574

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14574

Release Date: 2018-08-03

Fix Resolution: 1.11.15

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-12781

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

Publish Date: 2019-07-01

URL: CVE-2019-12781

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.djangoproject.com/en/dev/releases/security/

Release Date: 2019-07-01

Fix Resolution: 1.11.22

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-7536

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Publish Date: 2018-03-09

URL: CVE-2018-7536

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7536

Release Date: 2018-03-09

Fix Resolution: 2.0.3,1.11.11,1.8.19

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-14233

Vulnerable Library - Django-1.11.3-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/fe/ca/a7b35a0f5088f26b1ef3c7add57161a7d387a4cbd30db01c1091aa87e207/Django-1.11.3-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

  • Django-1.11.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 40ff9ebff1e285085438e112a8f5476aa630a271

Found in base branch: before

Vulnerability Details

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.

Publish Date: 2019-08-02

URL: CVE-2019-14233

CVSS 3 Score Details (2.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233

Release Date: 2019-08-02

Fix Resolution: 1.11.23

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.