CVE-2021-33203

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 2.2.23 and earlier, 3.x versions prior to 3.1.12, 3.2.x versions prior to 3.2.4

Description The issue is related to a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. If the default admindocs templates have been customized to show file contents, then the file contents would also be exposed, allowing for directory traversal outside of the template root directories.

Recommendations For Django versions 2.2.23 and earlier, update to version 2.2.24 or later. For Django 3.x versions prior to 3.1.12, update to version 3.1.12 or later. For Django 3.2.x versions prior to 3.2.4, update to version 3.2.4 or later. As a temporary workaround, consider restricting access to the TemplateDetailView view in django.contrib.admindocs until a patch is applied.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2021-2228

ALT-PU-2021-3619

BDU:2021-05245

BIT-DJANGO-2021-33203

CVE-2021-33203

DLA-2676-1

DLA-3744-1

GHSA-68W8-QJQ3-2GFM

MGASA-2021-0356

OPENSUSE-SU-2023:0005-1

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2021-98

RHSA-2021:3490

RHSA-2021:4702

RHSA-2021:5070

SUSE-SU-2021:1962-1

SUSE-SU-2021:1963-1

SUSE-SU-2021:2554-1

USN-4975-1

USN-4975-2

Affected Products

Alt Linux

Astra Linux

Django

Linuxmint

Ubuntu

CVE-2021-33203

Weakness Enumeration

Related Identifiers

Affected Products

References · 214