Alpine: py-django: security update to 1.11.11-r0

high Tenable Self-Hosted Container Security Plugin ID 406601

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of
the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site
scripting attack. This vulnerability shouldn't affect most production sites since you shouldn't run with
"DEBUG = True" (which makes this page accessible) in your production settings. (CVE-2017-12794)

- django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows
remote attackers to obtain potentially sensitive information by leveraging data exposure from the
confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
(CVE-2018-6188)

- An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The
django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic
backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x).
The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus
vulnerable. (CVE-2018-7536)

- An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If
django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were
extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular
expression. The chars() and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus vulnerable. (CVE-2018-7537)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-12794

https://security.alpinelinux.org/vuln/CVE-2018-6188

https://security.alpinelinux.org/vuln/CVE-2018-7536

https://security.alpinelinux.org/vuln/CVE-2018-7537

Plugin Details

Severity: High

ID: 406601

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-6188

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 9/5/2017

Reference Information

CVE: CVE-2017-12794, CVE-2018-6188, CVE-2018-7536, CVE-2018-7537

BID: 100643, 103357, 103361