{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-22818", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T03:21:49.173Z", "dateReserved": "2022-01-07T00:00:00", "datePublished": "2022-02-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-15T00:00:00"}, "descriptions": [{"lang": "en", "value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"url": "https://security.netapp.com/advisory/ntap-20220221-0003/"}, {"name": "DSA-5254", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5254"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:21:49.173Z"}, "title": "CVE Program Container", "references": [{"url": "https://groups.google.com/forum/#%21forum/django-announce", "tags": ["x_transferred"]}, {"url": "https://docs.djangoproject.com/en/4.0/releases/security/", "tags": ["x_transferred"]}, {"url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/", "tags": ["x_transferred"]}, {"name": "FEDORA-2022-e7fd530688", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"url": "https://security.netapp.com/advisory/ntap-20220221-0003/", "tags": ["x_transferred"]}, {"name": "DSA-5254", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5254"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7324BB5-64C7-45F6-ADEB-E0929B4B00B6", "versionEndExcluding": "2.2.27", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "D15BB946-FCF5-43FC-99EF-EBB2513CA2FB", "versionEndExcluding": "3.2.12", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA09D497-21DD-410D-9692-A601B1EAA0B9", "versionEndExcluding": "4.0.2", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS."}, {"lang": "es", "value": "La etiqueta de plantilla {% debug %} en Django versiones 2.2 anteriores a 2.2.27, 3.2 anteriores a 3.2.12 y 4.0 anteriores a 4.0.2, no codifica correctamente el contexto actual. Esto puede conllevar a un ataque de tipo XSS"}], "id": "CVE-2022-22818", "lastModified": "2023-11-07T03:43:59.953", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-03T02:15:07.580", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://docs.djangoproject.com/en/4.0/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220221-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5254"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.djangoproject.com/weblog/2022/feb/01/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:8872", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-django20-0:2.0.13-18.el8ost", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:8853", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-django20-0:2.0.13-18.el8ost", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2022-12-07T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite_capsule:6.11::el8", "package": "python-django-0:3.2.13-1.el8pc", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:8506", "cpe": "cpe:/a:redhat:satellite:6.12::el8", "package": "python-django-0:3.2.14-2.el8pc", "product_name": "Red Hat Satellite 6.12 for RHEL 8", "release_date": "2022-11-16T00:00:00Z"}, {"advisory": "RHSA-2022:8506", "cpe": "cpe:/a:redhat:satellite_capsule:6.12::el8", "package": "python-django-0:3.2.14-2.el8pc", "product_name": "Red Hat Satellite 6.12 for RHEL 8", "release_date": "2022-11-16T00:00:00Z"}], "bugzilla": {"description": "django: Possible XSS via '{% debug %}' template tag", "id": "2048775", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2048775"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", "A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS)."], "name": "CVE-2022-22818", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "package_name": "django", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python3-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2022-02-01T08:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-22818\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22818\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/"], "threat_severity": "Moderate", "upstream_fix": "django 4.0.2, django 3.2.12, django 2.2.27"}