Safety vulnerability ID: 39646
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django versions 2.2.19, 3.0.13 and 3.1.7 include a fix for CVE-2021-23336: Web cache poisoning via 'django.utils.http.limited_parse_qsl()'. Django contains a copy of 'urllib.parse.parse_qsl' which was added to backport some security fixes. A further security fix has been issued recently such that 'parse_qsl(' no longer allows using ';' as a query parameter separator by default.
Latest version: 5.1.4
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
===========================
*February 19, 2021*
Django 2.2.19 fixes a security issue in 2.2.18.
CVE-2021-23336: Web cache poisoning via ``django.utils.http.limited_parse_qsl()``
=================================================================================
Django contains a copy of :func:`urllib.parse.parse_qsl` which was added to
backport some security fixes. A further security fix has been issued recently
such that ``parse_qsl()`` no longer allows using ``;`` as a query parameter
separator by default. Django now includes this fix. See :bpo:`42967` for
further details.
===========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application