You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Denial of Service (DoS) via UserAttributeSimilarityValidator, when evaluating submitted passwords that are extremely large relatively to the comparison values. This issue is mitigated in newer versions by ignoring long values in UserAttributeSimilarityValidator.
Note: it is exploitable under the assumption that access to user registration is unrestricted.
Introduced through: project@0.0.0 › django@3.1.13
Fix: Upgrade django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › cg-django-uaa@2.1.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-filter@2.4.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-taggit@1.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-treebeard@4.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › djangorestframework@3.13.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@3.1 › django-appconf@1.0.5 › django@3.1.13
Remediation:
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Completion criteria:
Fix: Pin django to version 3.2.11
The text was updated successfully, but these errors were encountered:
Our CMS authentication is using a separate cloud.gov authentication system. Therefore, we don't allow users to register using our system and this is not a vulnerability. We will be upgrading django to 3.2.11 in a follow-up ticket once we've upgraded Wagtail.
We need to upgrade to 3.2.12 in the follow up ticket due to this vulnerability and the XSS vulnerability. We are currently not using the affected template tag, but 3.2.12 is needed anyway.
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Denial of Service (DoS) via UserAttributeSimilarityValidator, when evaluating submitted passwords that are extremely large relatively to the comparison values. This issue is mitigated in newer versions by ignoring long values in UserAttributeSimilarityValidator.
Note: it is exploitable under the assumption that access to user registration is unrestricted.
https://app.snyk.io/org/fecgov/project/ff0dca01-794e-4c1c-bf1f-0c0f8932fadd/#issue-SNYK-PYTHON-DJANGO-2329160
Introduced through:
Introduced through: project@0.0.0 › django@3.1.13
Fix: Upgrade django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › cg-django-uaa@2.1.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-filter@2.4.0 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-taggit@1.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-treebeard@4.5.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › wagtail@2.11.8 › djangorestframework@3.13.1 › django@3.1.13
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@3.1 › django-appconf@1.0.5 › django@3.1.13
Remediation:
Fix: Pin django to version 2.2.26 or 3.2.11 or 4.0.1
Completion criteria:
The text was updated successfully, but these errors were encountered: