{ "threat_severity" : "Moderate", "public_date" : "2022-02-01T08:00:00Z", "bugzilla" : { "description" : "django: Possible XSS via '{% debug %}' template tag", "id" : "2048775", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2048775" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.", "A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS)." ], "affected_release" : [ { "product_name" : "Red Hat OpenStack Platform 16.1", "release_date" : "2022-12-07T00:00:00Z", "advisory" : "RHSA-2022:8872", "cpe" : "cpe:/a:redhat:openstack:16.1::el8", "package" : "python-django20-0:2.0.13-18.el8ost" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2022-12-07T00:00:00Z", "advisory" : "RHSA-2022:8853", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "python-django20-0:2.0.13-18.el8ost" }, { "product_name" : "Red Hat Satellite 6.11 for RHEL 8", "release_date" : "2022-07-05T00:00:00Z", "advisory" : "RHSA-2022:5498", "cpe" : "cpe:/a:redhat:satellite:6.11::el8", "package" : "python-django-0:3.2.13-1.el8pc" }, { "product_name" : "Red Hat Satellite 6.11 for RHEL 8", "release_date" : "2022-07-05T00:00:00Z", "advisory" : "RHSA-2022:5498", "cpe" : "cpe:/a:redhat:satellite_capsule:6.11::el8", "package" : "python-django-0:3.2.13-1.el8pc" }, { "product_name" : "Red Hat Satellite 6.12 for RHEL 8", "release_date" : "2022-11-16T00:00:00Z", "advisory" : "RHSA-2022:8506", "cpe" : "cpe:/a:redhat:satellite:6.12::el8", "package" : "python-django-0:3.2.14-2.el8pc" }, { "product_name" : "Red Hat Satellite 6.12 for RHEL 8", "release_date" : "2022-11-16T00:00:00Z", "advisory" : "RHSA-2022:8506", "cpe" : "cpe:/a:redhat:satellite_capsule:6.12::el8", "package" : "python-django-0:3.2.14-2.el8pc" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Tower 3", "fix_state" : "Will not fix", "package_name" : "django", "cpe" : "cpe:/a:redhat:ansible_tower:3" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "calamari-server", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "python3-django", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:3" }, { "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers", "fix_state" : "Affected", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:4::el8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-22818\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-22818\nhttps://www.djangoproject.com/weblog/2022/feb/01/security-releases/" ], "name" : "CVE-2022-22818", "csaw" : false }