Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] Access Restriction Bypass (due by 03/08/2022) #4993

Closed
2 tasks done
Tracked by #137
pkfec opened this issue Dec 15, 2021 · 1 comment · Fixed by #5076
Closed
2 tasks done
Tracked by #137

[Snyk:Medium] Access Restriction Bypass (due by 03/08/2022) #4993

pkfec opened this issue Dec 15, 2021 · 1 comment · Fixed by #5076
Assignees
@patphongs
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 17.3

Comments

@pkfec
Copy link
Contributor

pkfec commented Dec 15, 2021
edited by patphongs
Loading

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Access Restriction Bypass. HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

https://security.snyk.io/vuln/SNYK-PYTHON-DJANGO-2312875

Introduced through:

project@0.0.0 › django@3.1.13
Fix: Upgrade django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › cg-django-uaa@2.1.1 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › wagtail@2.11.8 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-filter@2.4.0 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-taggit@1.5.1 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › wagtail@2.11.8 › django-treebeard@4.5.1 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › wagtail@2.11.8 › djangorestframework@3.13.0 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: project@0.0.0 › django-libsass@0.7 › django-compressor@3.0 › django-appconf@1.0.5 › django@3.1.13
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10

Remediation:

Upgrade django to version 2.2.25 or 3.1.14 or 3.2.10

Completion criteria:

  • Upgrade django to version 3.1.14
  • Make a followup ticket to 3.2.10
@pkfec pkfec added the Security: moderate Remediate within 60 days label Dec 15, 2021
@pkfec pkfec mentioned this issue Dec 15, 2021
Closed
1 task
@pkfec pkfec changed the title [Snyk:Medium] Access Restriction Bypass (03/08/2022) [Snyk:Medium] Access Restriction Bypass (due by 03/08/2022) Dec 15, 2021
@dorothyyeager dorothyyeager added this to the Sprint 17.1 milestone Dec 20, 2021
@pkfec pkfec mentioned this issue Dec 22, 2021
Closed
This was referenced Dec 29, 2021
Closed
Closed
@pkfec pkfec mentioned this issue Jan 12, 2022
Closed
1 task
@fec-jli fec-jli mentioned this issue Jan 19, 2022
Closed
@patphongs patphongs mentioned this issue Feb 22, 2022
Merged
@patphongs
Copy link
Member

patphongs commented Feb 22, 2022
edited
Loading

This vulnerability will require us to upgrade Django to 3.2.11. We'll use that ticket as the follow-up to upgrade.

@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patphongs patphongs

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 17.3
Development

Successfully merging a pull request may close this issue.

Upgrade django to 3.1.14 fecgov/fec-cms
4 participants
@pkfec @patphongs @dorothyyeager @JonellaCulmer