{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-django security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-django is now available for openEuler-22.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"A high-level Python Web framework that encourages rapid development and clean, pragmatic design.\n\nSecurity Fix(es):\n\nA vulnerability was found in the Django Web Framework. The strip_tags() and stripbtags template filter may be vulnerable to a potential denial of service (DoS) in cases of a large sequence of nested incomplete HTML entities.(CVE-2024-53907)\n\nA vulnerability was found in the Django Web Framework. The direct usage of django.db.models.fields.json.HasKey may be vulnerable to SQL injection if untrusted data is used to perform queries.(CVE-2024-53908)", "category":"general", "title":"Description" }, { "text":"An update for python-django is now available for openEuler-22.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"python-django", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-2540", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2540" }, { "summary":"CVE-2024-53907", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53907&packageName=python-django" }, { "summary":"CVE-2024-53908", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-53908&packageName=python-django" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53907" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53908" }, { "summary":"openEuler-SA-2024-2540 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-2540.json" } ], "title":"An update for python-django is now available for openEuler-22.03-LTS-SP4", "tracking":{ "initial_release_date":"2024-12-13T21:17:38+08:00", "revision_history":[ { "date":"2024-12-13T21:17:38+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2024-12-13T21:17:38+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-12-13T21:17:38+08:00", "id":"openEuler-SA-2024-2540", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"python-django-4.2.15-3.oe2203sp4.src.rpm", "name":"python-django-4.2.15-3.oe2203sp4.src.rpm" }, "name":"python-django-4.2.15-3.oe2203sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"python-django-help-4.2.15-3.oe2203sp4.noarch.rpm", "name":"python-django-help-4.2.15-3.oe2203sp4.noarch.rpm" }, "name":"python-django-help-4.2.15-3.oe2203sp4.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"python3-Django-4.2.15-3.oe2203sp4.noarch.rpm", "name":"python3-Django-4.2.15-3.oe2203sp4.noarch.rpm" }, "name":"python3-Django-4.2.15-3.oe2203sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"python-django-4.2.15-3.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "name":"python-django-4.2.15-3.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"python-django-help-4.2.15-3.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "name":"python-django-help-4.2.15-3.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"python3-Django-4.2.15-3.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch", "name":"python3-Django-4.2.15-3.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-53907", "notes":[ { "text":"An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2540" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2024-53907" }, { "cve":"CVE-2024-53908", "notes":[ { "text":"An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ], "details":"python-django security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2540" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP4:python-django-4.2.15-3.oe2203sp4.src", "openEuler-22.03-LTS-SP4:python-django-help-4.2.15-3.oe2203sp4.noarch", "openEuler-22.03-LTS-SP4:python3-Django-4.2.15-3.oe2203sp4.noarch" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2024-53908" } ] }