PT-2021-4521 · Django+4 · Django+4
Published
2021-05-25
·
Updated
2026-01-03
·
CVE-2021-33571
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions 2.2 before 2.2.24
Django versions 3.x before 3.1.12
Django versions 3.2 before 3.2.4
Description
The issue is related to the URLValidator, validate ipv4 address, and validate ipv46 address functions in Django, which do not prohibit leading zero characters in octal literals. This may allow a bypass of access control based on IP addresses. The validate ipv4 address and validate ipv46 address functions are unaffected when used with Python 3.9.5 and later.
Recommendations
For Django versions 2.2 before 2.2.24, update to version 2.2.24 or later to resolve the issue.
For Django versions 3.x before 3.1.12, update to version 3.1.12 or later to resolve the issue.
For Django versions 3.2 before 3.2.4, update to version 3.2.4 or later to resolve the issue.
As a temporary workaround, consider restricting access to IP addresses that could be affected by the bypass of access control until a patch is applied.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Django
Linuxmint
Ubuntu