Sjoerd Job Postmus

**Nome do software vulnerável e versões afetadas: Versões do Django 2.2 anteriores à 2.2.25 Versões do Django 3.1 anteriores à 3.1.14 Versões do Django 3.2 anteriores à 3.2.10 Descrição: Solicitações HTTP para URLs com caracteres de nova linha no final poderiam contornar o controle de acesso upstream baseado em caminhos de URL. Esta vulnerabilidade tem gravidade baixa, de acordo com a política de segurança do Django. Recomendações: Para as versões do Django 2.2 anteriores à 2.2.25, atualize para a versão 2.2.25 ou posterior. Para as versões do Django 3.1 anteriores à 3.1.14, atualize para a versão 3.1.14 ou posterior. Para as versões do Django 3.2 anteriores à 3.2.10, atualize para a versão 3.2.10 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11.x through 1.11.18 Django versions 2.0.x through 2.0.10 Django versions 2.1.x through 2.1.5 **Description** The issue is related to uncontrolled memory consumption, which can lead to a complete depletion of resources, potentially causing a denial of service. This can be triggered by a malicious attacker-supplied value to the `django.utils.numberformat.format()` function. The vulnerability can be exploited by a remote attacker. **Recommendations** For Django versions 1.11.x through 1.11.18, update to version 1.11.19 or later. For Django versions 2.0.x through 2.0.10, update to version 2.0.11 or later. For Django versions 2.1.x through 2.1.5, update to version 2.1.6 or later. As a temporary workaround, consider restricting the use of the `django.utils.numberformat.format()` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Django versions prior to 1.8.10 Django versions 1.9.x prior to 1.9.3 **Description** The issue allows remote attackers to enumerate users via a timing attack involving login requests. This is due to a problem in the password hasher. **Recommendations** For Django versions prior to 1.8.10, update to version 1.8.10 or later. For Django versions 1.9.x prior to 1.9.3, update to version 1.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 1.5.x through 1.6.x Django versions 1.7.x before 1.7.9 Django versions 1.8.x before 1.8.3 Django before 1.4.21 **Description** The issue is related to resource management errors in the Django web application platform. It can be exploited by a remote attacker to cause a denial of service by creating multiple requests with unique session keys. The vulnerability also allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an email message, URL, or unspecified vectors to certain validators. **Recommendations** For Django before 1.4.21, update to version 1.4.21 or later. For Django versions 1.5.x through 1.6.x, update to version 1.7.9 or later. For Django versions 1.7.x before 1.7.9, update to version 1.7.9 or later. For Django versions 1.8.x before 1.8.3, update to version 1.8.3 or later. As a temporary workaround, consider restricting access to the `EmailValidator`, `URLValidator`, `validate ipv4 address`, and `validate slug` validator functions until a patch is available.