Detections
Analytics

Alpine: multiple py3-django packages: security update to 4.2.16-r0

critical Tenable Cloud Security Plugin ID 426372

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and
 values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a
 crafted JSON object key as a passed *arg. (CVE-2024-42005)

 - An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were
 subject to a potential denial of service attack via certain inputs with a very large number of brackets.
 (CVE-2024-38875)

 - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The
 django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users
 via a timing attack involving login requests for users with an unusable password. (CVE-2024-39329)

 - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the
 django.core.files.storage.Storage base class, when they override generate_filename() without replicating
 the file-path validations from the parent class, potentially allow directory traversal via certain inputs
 during a save() call. (Built-in Storage sub-classes are unaffected.) (CVE-2024-39330)

 - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant()
 was subject to a potential denial-of-service attack when used with very long strings containing specific
 characters. (CVE-2024-39614)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-38875

https://security.alpinelinux.org/vuln/CVE-2024-39329

https://security.alpinelinux.org/vuln/CVE-2024-39330

https://security.alpinelinux.org/vuln/CVE-2024-39614

https://security.alpinelinux.org/vuln/CVE-2024-41989

https://security.alpinelinux.org/vuln/CVE-2024-41990

https://security.alpinelinux.org/vuln/CVE-2024-41991

https://security.alpinelinux.org/vuln/CVE-2024-42005

https://security.alpinelinux.org/vuln/CVE-2024-45230

https://security.alpinelinux.org/vuln/CVE-2024-45231

Plugin Details

Severity: Critical

ID: 426372

Version: Revision 1.5

Type: Local

Published: 5/16/2025

Updated: 6/1/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2024-42005

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.8

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 7/10/2024

Reference Information

CVE: CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614, CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, CVE-2024-42005, CVE-2024-45230, CVE-2024-45231