openSUSE 15 Security Update : python-Django (openSUSE-SU-2023:0005-1)

critical Nessus Plugin ID 169481

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0005-1 advisory.

- In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. (CVE-2021-32052)

- Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories. (CVE-2021-33203)

- In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

- In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

- An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

- An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key. (CVE-2021-45116)

- Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

- The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS. (CVE-2022-22818)

- An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
(CVE-2022-23833)

- An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

- A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
**options argument, and placing the injection payload in an option name. (CVE-2022-28347)

- An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.
An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

- In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected python3-Django package.

See Also

https://www.suse.com/security/cve/CVE-2021-33571

https://www.suse.com/security/cve/CVE-2021-44420

https://www.suse.com/security/cve/CVE-2021-45115

https://www.suse.com/security/cve/CVE-2021-45116

https://www.suse.com/security/cve/CVE-2021-45452

https://www.suse.com/security/cve/CVE-2022-22818

https://www.suse.com/security/cve/CVE-2022-23833

https://www.suse.com/security/cve/CVE-2022-28346

https://www.suse.com/security/cve/CVE-2022-28347

https://www.suse.com/security/cve/CVE-2022-36359

https://www.suse.com/security/cve/CVE-2022-41323

https://bugzilla.suse.com/1185713

https://bugzilla.suse.com/1186608

https://bugzilla.suse.com/1186611

https://bugzilla.suse.com/1193240

https://bugzilla.suse.com/1194115

https://bugzilla.suse.com/1194116

https://bugzilla.suse.com/1194117

https://bugzilla.suse.com/1195086

https://bugzilla.suse.com/1195088

https://bugzilla.suse.com/1198297

https://bugzilla.suse.com/1198398

https://bugzilla.suse.com/1198399

https://bugzilla.suse.com/1201923

https://bugzilla.suse.com/1203793

http://www.nessus.org/u?1ff6e271

https://www.suse.com/security/cve/CVE-2021-32052

https://www.suse.com/security/cve/CVE-2021-33203

Plugin Details

Severity: Critical

ID: 169481

File Name: openSUSE-2023-0005-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 1/4/2023

Updated: 9/11/2023

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-28347

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:python3-django, cpe:/o:novell:opensuse:15.3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/3/2023

Vulnerability Publication Date: 5/6/2021

Reference Information

CVE: CVE-2021-32052, CVE-2021-33203, CVE-2021-33571, CVE-2021-44420, CVE-2021-45115, CVE-2021-45116, CVE-2021-45452, CVE-2022-22818, CVE-2022-23833, CVE-2022-28346, CVE-2022-28347, CVE-2022-36359, CVE-2022-41323