Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Med] Snyk - Man-in-the-Middle - django (due 9/1/19) #3023

Closed
2 tasks
Tracked by #137
lbeaufort opened this issue Jul 3, 2019 · 5 comments · Fixed by #3092
Closed
2 tasks
Tracked by #137

[Med] Snyk - Man-in-the-Middle - django (due 9/1/19) #3023

lbeaufort opened this issue Jul 3, 2019 · 5 comments · Fixed by #3092
Assignees
@jason-upchurch
Labels
Security: moderate Remediate within 60 days Work: Back-end
Milestone
Sprint 9.6

Comments

@lbeaufort
Copy link
Member

lbeaufort commented Jul 3, 2019
edited by dorothyyeager

Man-in-the-Middle (MitM)
Vulnerable module: django
Introduced through: django-libsass@0.7, django-jinja@2.4.1 and others
Detailed paths
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@2.3 › django-appconf@1.0.3 › django@1.11.20
Introduced through: project@0.0.0 › django-jinja@2.4.1 › django@1.11.20
Introduced through: project@0.0.0 › cg-django-uaa@1.3.0 › django@1.11.20
Introduced through: project@0.0.0 › django@1.11.20

Remediation
Upgrade django to version 1.11.22, 2.1.10, 2.2.3 or higher.

https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-451300

To do

  • Be sure to check Wagtail dependencies and which version of Django it's compatible with.
  • Test on Wagtail CMS to make sure Django upgrade didn't break Wagtail features or any other CMS features.
@lbeaufort lbeaufort added Bug Security: moderate Remediate within 60 days and removed Bug labels Jul 3, 2019
@lbeaufort lbeaufort changed the title [Med] Snyk - Man-in-the-Middle (MitM) due 9/1/19 [Med] Snyk - Man-in-the-Middle (MitM) - django - due 9/1/19 Jul 3, 2019
@lbeaufort lbeaufort changed the title [Med] Snyk - Man-in-the-Middle (MitM) - django - due 9/1/19 [Med] Snyk - Man-in-the-Middle - django (due 9/1/19) Jul 3, 2019
@lbeaufort lbeaufort mentioned this issue Jul 3, 2019
Closed
@fec-jli fec-jli mentioned this issue Jul 10, 2019
Closed
@jason-upchurch jason-upchurch mentioned this issue Jul 17, 2019
Closed
@lbeaufort lbeaufort added this to the Sprint 9.6 milestone Jul 21, 2019
@pkfec pkfec mentioned this issue Jul 25, 2019
Closed
@jason-upchurch jason-upchurch self-assigned this Jul 30, 2019
@jason-upchurch
Copy link
Contributor

Requested wagtail access through fec-accounts repo.

@jason-upchurch
Copy link
Contributor

Initially updated django@1.11.20 to django@2.2.1 but current wagtail@2.2.1 requires django < 2.2.1. The only version upgrade available <2.2.1 is django@1.1.22

added to requirements.txt and ran snyk test --file=requirements.txt from fec-cms and no vulnerabilities were detected. Need to test wagtail.

This was referenced Jul 30, 2019
Closed
Closed
@lbeaufort lbeaufort mentioned this issue Jul 31, 2019
Closed
@jason-upchurch
Copy link
Contributor

pytest passes. Will deploy to dev on 8/1 to test.

@jason-upchurch
Copy link
Contributor

thank you @lbeaufort for the Django Roadmap which details django@1.11 as LTS until at least April 2020: https://www.djangoproject.com/weblog/2015/jun/25/roadmap/

@jason-upchurch jason-upchurch mentioned this issue Aug 1, 2019
Merged
5 tasks
@jason-upchurch
Copy link
Contributor

Upgrade to django@1.11.22 introduces 4 new medium severity vulnerabilities:

✗ Medium severity vulnerability found in django
  Description: Denial of Service (Memory Exhaustion)
  Info: https://snyk.io/vuln/SNYK-PYTHON-DJANGO-456540
  Introduced through: django@1.11.22, cg-django-uaa@1.3.0, django-jinja@2.4.1, django-libsass@0.7
  From: django@1.11.22
  From: cg-django-uaa@1.3.0 > django@1.11.22
  From: django-jinja@2.4.1 > django@1.11.22

✗ Medium severity vulnerability found in django
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-PYTHON-DJANGO-456541
  Introduced through: django@1.11.22, cg-django-uaa@1.3.0, django-jinja@2.4.1, django-libsass@0.7
  From: django@1.11.22
  From: cg-django-uaa@1.3.0 > django@1.11.22
  From: django-jinja@2.4.1 > django@1.11.22
  and 1 more...

✗ Medium severity vulnerability found in django
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-PYTHON-DJANGO-456542
  Introduced through: django@1.11.22, cg-django-uaa@1.3.0, django-jinja@2.4.1, django-libsass@0.7
  From: django@1.11.22
  From: cg-django-uaa@1.3.0 > django@1.11.22
  From: django-jinja@2.4.1 > django@1.11.22

✗ Medium severity vulnerability found in django
  Description: SQL Injection
  Info: https://snyk.io/vuln/SNYK-PYTHON-DJANGO-456566
  Introduced through: django@1.11.22, cg-django-uaa@1.3.0, django-jinja@2.4.1, django-libsass@0.7
  From: django@1.11.22
  From: cg-django-uaa@1.3.0 > django@1.11.22
  From: django-jinja@2.4.1 > django@1.11.22

Will upgrade under this PR to django@1.11.23

@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jason-upchurch jason-upchurch

Labels
Security: moderate Remediate within 60 days Work: Back-end
Projects
None yet
Milestone
Sprint 9.6
Development

Successfully merging a pull request may close this issue.

upgrade to django@1.11.23 fecgov/fec-cms
[WIP] fix django vulnerabilities fecgov/fec-cms
2 participants
@lbeaufort @jason-upchurch