Skip to content
This repository was archived by the owner on Jan 5, 2026. It is now read-only.

Fix django vulnerability#1817

Merged
BruceHaley merged 2 commits into
mainfrom
bruce/fixdjangovulnerability10-11
Oct 12, 2021
Merged

Fix django vulnerability#1817
BruceHaley merged 2 commits into
mainfrom
bruce/fixdjangovulnerability10-11

Conversation

@BruceHaley

@BruceHaley BruceHaley commented Oct 11, 2021

Copy link
Copy Markdown
Contributor

Fixes #minor

Description

Component Governance: CVE-2021-33571, severity high
https://dev.azure.com/FuseLabs/SDK_v4/_componentGovernance/112465/alert/5974475?typeId=4354877
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses.

Same fix also covers:
Component Governance: CVE-2021-31542, severity high
https://dev.azure.com/FuseLabs/SDK_v4/_componentGovernance/112465/alert/4935093?typeId=4354877

Component Governance: CVE-2021-33203, severity high
https://dev.azure.com/FuseLabs/SDK_v4/_componentGovernance/112465/alert/5199196?typeId=4354877

Specific Changes

Update django to v 2.2.24

@BruceHaley BruceHaley merged commit 41211de into main Oct 12, 2021
@BruceHaley BruceHaley deleted the bruce/fixdjangovulnerability10-11 branch October 12, 2021 17:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants