Django · Django · CVE-2021-3281
**Name of the Vulnerable Software and Affected Versions**
Django versions 2.2 before 2.2.18
Django versions 3.0 before 3.0.12
Django versions 3.1 before 3.1.6
**Description**
The issue is related to the `django.utils.archive.extract` method, which is used by "startapp --template" and "startproject --template". This method allows directory traversal via an archive with absolute paths or relative paths with dot segments. The vulnerability may allow a remote attacker to impact data integrity.
**Recommendations**
For Django versions 2.2 before 2.2.18, update to version 2.2.18 or later.
For Django versions 3.0 before 3.0.12, update to version 3.0.12 or later.
For Django versions 3.1 before 3.1.6, update to version 3.1.6 or later.
As a temporary workaround, consider disabling the `django.utils.archive.extract` method until a patch is available.