Alpine: multiple py3-django packages: security update to 4.2.20-r0

critical Tenable Self-Hosted Container Security Plugin ID 427220

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The
strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via
certain inputs containing large sequences of nested incomplete HTML entities. (CVE-2024-53907)

- An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage
of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL
injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup
via __ are unaffected.) (CVE-2024-53908)

- An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of
upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential
denial-of-service attack. The undocumented and private functions clean_ipv6_address and
is_valid_ipv6_address are vulnerable, as is the django.forms.GenericIPAddressField form field. (The
django.db.models.GenericIPAddressField model field is not affected.) (CVE-2024-56374)

- An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The
django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service
attack when used with very long strings. (CVE-2025-26699)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-53907

https://security.alpinelinux.org/vuln/CVE-2024-53908

https://security.alpinelinux.org/vuln/CVE-2024-56374

https://security.alpinelinux.org/vuln/CVE-2025-26699

Plugin Details

Severity: Critical

ID: 427220

Version: Revision 1.7

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-26699

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 7.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2024-53908

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 12/6/2024

Reference Information

CVE: CVE-2024-53907, CVE-2024-53908, CVE-2024-56374, CVE-2025-26699