PT-2021-4594 · Django+4 · Django+4

Dennis Brinkrolf

Published

2021-04-01

Updated

2024-03-06

CVE-2021-28658

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 2.2 before 2.2.20 Django versions 3.0 before 3.0.14 Django versions 3.1 before 3.1.8

Description The issue is related to the MultiPartParser component in Django, which has a directory path restriction flaw. This flaw can be exploited by a remote attacker using files with specially crafted names, potentially allowing access to confidential data. The built-in upload handlers are not affected by this issue.

Recommendations For Django versions 2.2 before 2.2.20, update to version 2.2.20 or later. For Django versions 3.0 before 3.0.14, update to version 3.0.14 or later. For Django versions 3.1 before 3.1.8, update to version 3.1.8 or later.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2021-2228

ALT-PU-2021-3619

BDU:2021-05276

BIT-DJANGO-2021-28658

CVE-2021-28658

DLA-2622-1

DLA-3744-1

GHSA-XGXC-V2QG-CHMH

MGASA-2021-0356

PYSEC-2021-6

RHSA-2021:4702

RHSA-2021:5070

SUSE-SU-2021:1962-1

SUSE-SU-2021:1963-1

SUSE-SU-2021:2554-1

USN-4902-1

Affected Products

Alt Linux

Astra Linux

Django

Linuxmint

Ubuntu

PT-2021-4594 · Django+4 · Django+4

CVE-2021-28658

Weakness Enumeration

Related Identifiers

Affected Products

References · 120