Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Django: CVE-2022-22818: Possible XSS via {% debug %} template tag
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Tue, 1 Feb 2022 09:05:38 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the
Django team
is issuing
`Django 4.0.2 <https://docs.djangoproject.com/en/dev/releases/4.0.2/>`_,
`Django 3.2.12
<https://docs.djangoproject.com/en/dev/releases/3.2.12/>`_, and
`Django 2.2.27 <https://docs.djangoproject.com/en/dev/releases/2.2.27/>`_.
These release addresses the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all
context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Thanks Keryn Knight for the report.
This issue has severity "medium" according to the Django security policy.
Affected supported versions
===========================
* Django main branch
* Django 4.0
* Django 3.2
* Django 2.2
Resolution
==========
Patches to resolve the issue have been applied to Django's main branch
and to
the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the
following changesets.
* On the `main branch
<https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68>`__
* On the `4.0 release branch
<https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5>`__
* On the `3.2 release branch
<https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2>`__
* On the `2.2 release branch
<https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6>`__
The following releases have been issued:
* Django 4.0.2 (`download Django 4.0.2
<https://www.djangoproject.com/m/releases/4.0/Django-4.0.2.tar.gz>`_ |
`4.0.2 checksums
<https://www.djangoproject.com/m/pgp/Django-4.0.2.checksum.txt>`_)
* Django 3.2.12 (`download Django 3.2.12
<https://www.djangoproject.com/m/releases/3.2/Django-3.2.12.tar.gz>`_ |
`3.2.12 checksums
<https://www.djangoproject.com/m/pgp/Django-3.2.12.checksum.txt>`_)
* Django 2.2.27 (`download Django 2.2.27
<https://www.djangoproject.com/m/releases/2.2/Django-2.2.27.tar.gz>`_ |
`2.2.27 checksums
<https://www.djangoproject.com/m/pgp/Django-2.2.27.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak:
`2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting
==========================================
As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Django: CVE-2022-22818: Possible XSS via {% debug %} template tag Mariusz Felisiak (Feb 01)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->