CVE-2021-45452: Archive of security issues | Django documentation

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

Issues under Django’s security process¶

All security issues have been handled under versions of Django’s security process. These are listed below.

June 2, 2021 - CVE-2021-33571¶

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

February 1, 2016 - CVE-2016-2048¶

User with “change” but not “add” permission can create objects for ModelAdmin’s with save_as=True. Full description

Versions affected¶

• Django 1.9 (patch)

February 19, 2013 - No CVE¶

Additional hardening of Host header handling. Full description

December 10, 2012 - No CVE 2¶

Additional hardening of redirect validation. Full description

December 10, 2012 - No CVE 1¶

Additional hardening of Host header handling. Full description

September 9, 2011 - CVE-2011-4140¶

Potential CSRF via Host header. Full description

Versions affected¶

This notification was an advisory only, so no patches were issued.

• Django 1.2
• Django 1.3

Issues prior to Django’s security process¶

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.