Skip to content

[Snyk] Security upgrade django from 1.7.4 to 4.2.24#22

Open
acn-tesch wants to merge 1 commit into
masterfrom
snyk-fix-cba6faba9bef520ed92d797174d8cea7
Open

[Snyk] Security upgrade django from 1.7.4 to 4.2.24#22
acn-tesch wants to merge 1 commit into
masterfrom
snyk-fix-cba6faba9bef520ed92d797174d8cea7

Conversation

@acn-tesch

@acn-tesch acn-tesch commented Sep 5, 2025

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the pip dependencies of this project.

Snyk changed the following file(s):

  • requirements.txt
⚠️ Warning 
django-keen 0.1.3 has requirement keen==0.3.0, but you have keen 0.3.7.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 SQL Injection

@snyk-bot
fix: requirements.txt to reduce vulnerabilities
e20af0a 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-DJANGO-12485156
@acn-tesch

acn-tesch commented Sep 5, 2025

Copy link
Copy Markdown
Author

Logo
Checkmarx One – Scan Summary & Details5fe8f159-0f6a-4299-a6bd-1803618d15dd

New Issues (12)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2019-7164 Python-SQLAlchemy-0.9.8
detailsRecommended version: 1.3.0
Description: SQLAlchemy through 1.3.0b2 allows SQL Injection via the "order_by parameter". This flaw is similar to CVE-2019-7548.
Attack Vector: NETWORK
Attack Complexity: LOW

ID: GlXDED58MtZucxWFc2HJjCq1SgWZ8DRaMXkXhC3g0fE%3D
Vulnerable Package
CRITICAL CVE-2023-5457 Python-Django-4.2.24
detailsDescription: A CWE-1269 "Product Released in Non-Release Configuration" vulnerability in the Django web framework used by the web application (due to the "debug...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: XkY2BT5NLWpRXX8C%2BUkn2FKY8q7enTaaZVPxWDbxGYQ%3D
Vulnerable Package
HIGH CVE-2018-18074 Python-requests-2.5.1
detailsRecommended version: 2.32.4
Description: The requests package versions prior to 2.20.0 for Python sends an HTTP Authorization header to an HTTP URI upon receiving a same-hostname https-to-...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: fjfwTJksi2xsQd2xu%2Fy%2BNti5pQ6bG5ud4SLOJdnayio%3D
Vulnerable Package
HIGH CVE-2019-7548 Python-SQLAlchemy-0.9.8
detailsRecommended version: 1.3.0
Description: SQLAlchemy through 1.3.0b2 has SQL Injection when the 'group_by' parameter can be controlled. This flaw is similar to CVE-2019-7164.
Attack Vector: LOCAL
Attack Complexity: LOW

ID: jXslkwbCEyGZ0OVZ%2B6koMm2%2BdxdNgsARGXN9bX7iKvc%3D
Vulnerable Package
HIGH CVE-2024-1135 Python-gunicorn-19.1.1
detailsRecommended version: 23.0.0
Description: Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with c...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: eK5Sl4McGi3uRiNHsWGdsBDsY%2FWcLKSfua0%2BB3UItEc%3D
Vulnerable Package
HIGH CVE-2024-6827 Python-gunicorn-19.1.1
detailsRecommended version: 23.0.0
Description: The Gunicorn versions through 22.0.0 do not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: nTy%2BY9m0fqbL8KWcpDEQvdKS%2FWowDOY85JhtF5zPiTs%3D
Vulnerable Package
MEDIUM CVE-2018-25045 Python-djangorestframework-3.0.0
detailsRecommended version: 3.15.2
Description: Django REST framework (aka django-rest-framework) allows XSS in versions 2.0.0 through 3.9.0 because the default DRF Browsable API view templates d...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 2ThF%2FOqa6WSPkc9By4Ghm96xuAEm0wxFd4PX3rkyxCo%3D
Vulnerable Package
MEDIUM CVE-2024-21520 Python-djangorestframework-3.0.0
detailsRecommended version: 3.15.2
Description: In djangorestframework versions prior to 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the 'break_long_headers' template filter due to im...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: pGYz7zphw%2BIgMFxTVSyBHqAr8FgHX%2B8oHt3A0T%2B0MEQ%3D
Vulnerable Package
MEDIUM CVE-2024-35195 Python-requests-2.5.1
detailsRecommended version: 2.32.4
Description: Requests is an HTTP library. In the package requests versions prior to 2.32.0, when making requests through a Requests `Session`, if the first requ...
Attack Vector: LOCAL
Attack Complexity: HIGH

ID: z92fPZIrhQS%2FuT9JBlQnpeFiXeZnfQwZYN6MuvIr4Hs%3D
Vulnerable Package
MEDIUM CVE-2024-47081 Python-requests-2.5.1
detailsRecommended version: 2.32.4
Description: Requests is an HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak ".netrc" credentials to third parties for speci...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: LE7luQKc%2BLgyKIUCm8nLh2V2%2F9xoHLtJpO1nCqyhSi0%3D
Vulnerable Package
LOW Client_Dangerous_File_Inclusion /swapi/templates/about.html: 24
detailsThe application loads an external library or source code file using "https://checkout\.stripe\.com/checkout\.js", at line 24 of /swapi/templates/ab...
ID: MvWv4QVhVTYzsKZk%2F5Y0WybO3Ro%3D
Attack Vector
LOW Client_Dangerous_File_Inclusion /swapi/templates/index.html: 90
detailsThe application loads an external library or source code file using "https://checkout\.stripe\.com/checkout\.js", at line 90 of /swapi/templates/in...
ID: d9dSRbRyL68JQ3nHtUN7HSmr%2BTg%3D
Attack Vector
Fixed Issues (5)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
LOW Client_Hardcoded_Domain /swapi/templates/base.html: 10
LOW Client_Hardcoded_Domain /swapi/templates/about.html: 24
LOW Client_Hardcoded_Domain /swapi/templates/base.html: 15
LOW Client_Hardcoded_Domain /swapi/templates/base.html: 16
LOW Client_Hardcoded_Domain /swapi/templates/index.html: 90

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@acn-tesch @snyk-bot