All errata/sisyphus/ALT-PU-2025-13042-3
ALT-PU-2025-13042-3

Package update python3-module-django in branch sisyphus

Version5.2.7-alt1
Task#397168
Published2026-02-04
Max severityCRITICAL
Severity:

Closed issues (6)

BDU:2025-12461
HIGH7.1

Уязвимость методов QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() программной платформы для веб-приложений Django, позволяющая нарушителю оказать влияние на конфиденциальность и целостность защищаемой информации

Published: 2025-10-03Modified: 2025-12-26
CVSS 3.xHIGH 7.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS 2.0MEDIUM 5.6
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:P/A:N
References
BDU:2025-12661
LOW3.1

Уязвимость функции django.utils.archive.extract() программной платформы для веб-приложений Django, позволяющая нарушителю обойти ограничения безопасности

Published: 2025-10-09Modified: 2025-11-14
CVSS 3.xLOW 3.1
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0LOW 2.1
CVSS:2.0/AV:N/AC:H/Au:S/C:N/I:P/A:N
References
CVE-2025-59681
CRITICAL9.8

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods (on MySQL and MariaDB).

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xCRITICAL 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
CVE-2025-59682
MEDIUM6.5

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths sharing a common prefix with the target directory.

Published: 2025-10-01Modified: 2025-11-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
GHSA-hpr9-3m2g-3j9p
HIGH7.1

Django vulnerable to SQL injection in column aliases

Published: 2025-10-02Modified: 2025-11-05
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
References
GHSA-q95w-c7qg-hrff
LOW3.1

Django vulnerable to partial directory traversal via archives

Published: 2025-10-02Modified: 2025-11-05
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References