[BB2-1029] Bump Django 2.2.24 To 2.2.25 To Mediate Vuln (Access Restriction Bypass) #1004
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JIRA Ticket:
BB2-1029
User Story or Bug Summary:
Weekly security audit Snyk scan reported one medium vuln:
details are shown below:
django Access Restriction Bypass
VULNERABILITY
CWE-284
CVE-2021-44420
CVSS 5.3 MEDIUM
SNYK-PYTHON-DJANGO-2312875
SCORE
551
Introduced through
[email protected], [email protected] and others
Fixed in
[email protected], @3.1.14, @3.2.10
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths and remediation
Introduced through: [email protected] › [email protected]
Fix: Upgrade django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: [email protected] › [email protected] › [email protected]
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: [email protected] › [email protected] › [email protected]
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
…and 9 more
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Access Restriction Bypass. HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
It is desirable to fix this - upgrade django from 2.2.24 to 2.2.25
** BB2 Developers
** 3rd Party apps
** Environment
** Benes
** * All above *
** BB2 Security practice
** Yes, vulnerability needs to be addressed asap
**
AC:
Django upgraded to 2.2.25
Pass all tests: unittests, integration tests, selenium tests
What Does This PR Do?
Upgrade Django from 2.2.24 to 2.2.25
What Should Reviewers Watch For?
If you're reviewing this PR, please check these things, in particular:
What Security Implications Does This PR Have?
Submitters should complete the following questionnaire:
What Needs to Be Merged and Deployed Before this PR?
This PR cannot be either merged or deployed until the following pre-requisite changes have been fully deployed:
Any Migrations?
Submitter Checklist
I have gone through and verified that...:
README
updates and changelog / release notes entries.TODO
and/orFIXME
comments, which include a JIRA ticket ID for any items that require urgent attention.