Filtered by vendor Redhat
Subscriptions
Filtered by product Rhui
Subscriptions
Total
29 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-23969 | 3 Debian, Djangoproject, Redhat | 5 Debian Linux, Django, Rhui and 2 more | 2024-11-21 | 7.5 High |
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. | ||||
CVE-2022-41323 | 2 Djangoproject, Redhat | 4 Django, Rhui, Satellite and 1 more | 2024-11-21 | 7.5 High |
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | ||||
CVE-2022-40899 | 2 Pythoncharmers, Redhat | 4 Python-future, Rhui, Satellite and 1 more | 2024-11-21 | 7.5 High |
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. | ||||
CVE-2022-34265 | 2 Djangoproject, Redhat | 4 Django, Rhui, Satellite and 1 more | 2024-11-21 | 9.8 Critical |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. | ||||
CVE-2022-28347 | 3 Debian, Djangoproject, Redhat | 6 Debian Linux, Django, Ansible Automation Platform and 3 more | 2024-11-21 | 9.8 Critical |
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name. | ||||
CVE-2022-28346 | 3 Debian, Djangoproject, Redhat | 7 Debian Linux, Django, Ansible Automation Platform and 4 more | 2024-11-21 | 9.8 Critical |
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs. | ||||
CVE-2021-44420 | 5 Canonical, Debian, Djangoproject and 2 more | 7 Ubuntu Linux, Debian Linux, Django and 4 more | 2024-11-21 | 7.3 High |
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. | ||||
CVE-2018-10917 | 2 Pulpproject, Redhat | 4 Pulp, Rhui, Satellite and 1 more | 2024-11-21 | N/A |
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories. | ||||
CVE-2012-4574 | 2 Cloudforms Tools, Redhat | 3 1, Cloudforms, Rhui | 2024-11-21 | N/A |
Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file. |