Filtered by vendor Redhat
Subscriptions
Filtered by product Rhui
Subscriptions
Total
29 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-31047 | 3 Djangoproject, Fedoraproject, Redhat | 5 Django, Fedora, Rhui and 2 more | 2024-08-02 | 9.8 Critical |
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise. | ||||
CVE-2023-30608 | 3 Debian, Redhat, Sqlparse Project | 5 Debian Linux, Rhui, Satellite and 2 more | 2024-08-02 | 5.5 Medium |
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
CVE-2023-24580 | 3 Debian, Djangoproject, Redhat | 6 Debian Linux, Django, Ansible Automation Platform and 3 more | 2024-08-02 | 7.5 High |
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. | ||||
CVE-2023-23969 | 3 Debian, Djangoproject, Redhat | 5 Debian Linux, Django, Rhui and 2 more | 2024-08-02 | 7.5 High |
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. | ||||
CVE-2024-27351 | 1 Redhat | 4 Ansible Automation Platform, Rhui, Satellite and 1 more | 2024-08-02 | 5.3 Medium |
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665. | ||||
CVE-2024-24680 | 2 Djangoproject, Redhat | 6 Django, Ansible Automation Platform, Openstack and 3 more | 2024-08-01 | 7.5 High |
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings. | ||||
CVE-2024-23342 | 2 Redhat, Tlsfuzzer | 2 Rhui, Ecdsa | 2024-08-01 | 7.4 High |
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior are vulnerable to the Minerva attack. As of time of publication, no known patched version exists. | ||||
CVE-2024-23334 | 3 Aiohttp, Fedoraproject, Redhat | 6 Aiohttp, Fedora, Ansible Automation Platform and 3 more | 2024-08-01 | 5.9 Medium |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. | ||||
CVE-2024-22195 | 2 Palletsprojects, Redhat | 9 Jinja, Ansible Automation Platform, Ceph Storage and 6 more | 2024-08-01 | 5.4 Medium |
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. |