ALT-PU-2021-3619-2 — python3-module-django

BDU:2021-05162

HIGH7.5

Уязвимость функций URLValidator, validate_ipv4_address, validate_ipv46_address программной платформы для веб-приложений Django, связанная с недостаточной проверкой поступающих запросов, позволяющая нарушителю оказать воздействие на целостность данных

Published: 2021-10-27Modified: 2023-11-13

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

References

CVE-2021-33571

BDU:2021-05215

HIGH7.5

Уязвимость компонентов MultiPartParser, UploadedFile, FieldFile программной платформы для веб-приложений Django, связанная с отсутствием ограничений на загрузку файлов, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2021-10-27Modified: 2023-11-13

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2021-31542

BDU:2021-05245

MEDIUM4.9

Уязвимость функции TemplateDetailView компонента django/contrib/admindocs программной платформы для веб-приложений Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2021-10-29Modified: 2024-11-11

CVSS 3.xMEDIUM 4.9

CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

References

CVE-2021-33203

BDU:2021-05276

MEDIUM5.3

Уязвимость компонента MultiPartParser программной платформы для веб-приложений Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2021-11-02Modified: 2023-11-13

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2021-28658

CVE-2021-28658

MEDIUM5.3

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Published: 2021-04-06Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2021-31542

HIGH7.5

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Published: 2021-05-05Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

CVE-2021-32052

MEDIUM6.1

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

Published: 2021-05-06Modified: 2024-11-21

CVSS 2.0MEDIUM 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2021-33203

MEDIUM4.9

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

Published: 2021-06-08Modified: 2024-11-21

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xMEDIUM 4.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

CVE-2021-33571

HIGH7.5

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

Published: 2021-06-08Modified: 2024-11-21

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

CVE-2021-44420

HIGH7.3

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Published: 2021-12-08Modified: 2024-11-21

CVSS 2.0HIGH 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

GHSA-68w8-qjq3-2gfm

MEDIUM6.9

Path Traversal in Django

Published: 2021-06-10Modified: 2024-09-20

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-p99v-5w3c-jqq9

HIGH8.7

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Published: 2021-06-10Modified: 2024-09-20

CVSS 3.xHIGH 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

GHSA-qm57-vhq3-3fwf

MEDIUM5.3

Header injection possible in Django

Published: 2021-06-09Modified: 2024-09-20

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

GHSA-rxjp-mfm9-w4wr

HIGH8.7

Path Traversal in Django

Published: 2021-06-05Modified: 2024-09-20

CVSS 3.xHIGH 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GHSA-v6rh-hp5x-86rv

MEDIUM6.9

Potential bypass of an upstream access control based on URL paths in Django

Published: 2021-12-09Modified: 2024-11-18

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References

GHSA-xgxc-v2qg-chmh

MEDIUM6.9

Directory Traversal in Django

Published: 2021-04-08Modified: 2024-09-20

CVSS 3.x

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 4.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

Package update python3-module-django in branch p9

Closed issues (16)

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Path Traversal in Django

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Header injection possible in Django

Path Traversal in Django

Potential bypass of an upstream access control based on URL paths in Django

Directory Traversal in Django