python311-Django-5.1.5-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15724 Final 1 1 2025-01-17T00:00:00Z current 2025-01-17T00:00:00Z 2025-01-17T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python311-Django-5.1.5-1.1 on GA media These are all security issues fixed in the python311-Django-5.1.5-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15724 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-45115/ SUSE CVE CVE-2021-45115 page https://www.suse.com/security/cve/CVE-2021-45452/ SUSE CVE CVE-2021-45452 page https://www.suse.com/security/cve/CVE-2022-22818/ SUSE CVE CVE-2022-22818 page https://www.suse.com/security/cve/CVE-2022-23833/ SUSE CVE CVE-2022-23833 page https://www.suse.com/security/cve/CVE-2022-28346/ SUSE CVE CVE-2022-28346 page https://www.suse.com/security/cve/CVE-2022-28347/ SUSE CVE CVE-2022-28347 page https://www.suse.com/security/cve/CVE-2022-34265/ SUSE CVE CVE-2022-34265 page https://www.suse.com/security/cve/CVE-2022-36359/ SUSE CVE CVE-2022-36359 page https://www.suse.com/security/cve/CVE-2022-41323/ SUSE CVE CVE-2022-41323 page https://www.suse.com/security/cve/CVE-2023-23969/ SUSE CVE CVE-2023-23969 page https://www.suse.com/security/cve/CVE-2023-24580/ SUSE CVE CVE-2023-24580 page https://www.suse.com/security/cve/CVE-2024-56374/ SUSE CVE CVE-2024-56374 page openSUSE Tumbleweed python311-Django-5.1.5-1.1 python312-Django-5.1.5-1.1 python313-Django-5.1.5-1.1 python311-Django-5.1.5-1.1 as a component of openSUSE Tumbleweed python312-Django-5.1.5-1.1 as a component of openSUSE Tumbleweed python313-Django-5.1.5-1.1 as a component of openSUSE Tumbleweed An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. CVE-2021-45115 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-45115.html CVE-2021-45115 https://bugzilla.suse.com/1194115 SUSE Bug 1194115 https://bugzilla.suse.com/1194117 SUSE Bug 1194117 Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. CVE-2021-45452 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-45452.html CVE-2021-45452 https://bugzilla.suse.com/1194116 SUSE Bug 1194116 The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. CVE-2022-22818 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22818.html CVE-2022-22818 https://bugzilla.suse.com/1195086 SUSE Bug 1195086 An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files. CVE-2022-23833 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23833.html CVE-2022-23833 https://bugzilla.suse.com/1195088 SUSE Bug 1195088 An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. CVE-2022-28346 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28346.html CVE-2022-28346 https://bugzilla.suse.com/1198398 SUSE Bug 1198398 A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. CVE-2022-28347 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-28347.html CVE-2022-28347 https://bugzilla.suse.com/1198399 SUSE Bug 1198399 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. CVE-2022-34265 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-34265.html CVE-2022-34265 https://bugzilla.suse.com/1201186 SUSE Bug 1201186 An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. CVE-2022-36359 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36359.html CVE-2022-36359 https://bugzilla.suse.com/1201923 SUSE Bug 1201923 In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. CVE-2022-41323 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-41323.html CVE-2022-41323 https://bugzilla.suse.com/1203793 SUSE Bug 1203793 In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. CVE-2023-23969 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-23969.html CVE-2023-23969 https://bugzilla.suse.com/1207565 SUSE Bug 1207565 An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. CVE-2023-24580 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-24580.html CVE-2023-24580 https://bugzilla.suse.com/1208082 SUSE Bug 1208082 An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The django.db.models.GenericIPAddressField model field is not affected.) CVE-2024-56374 openSUSE Tumbleweed:python311-Django-5.1.5-1.1 openSUSE Tumbleweed:python312-Django-5.1.5-1.1 openSUSE Tumbleweed:python313-Django-5.1.5-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-56374.html CVE-2024-56374 https://bugzilla.suse.com/1235856 SUSE Bug 1235856