PT-2022-1408 · Django+6 · Django+6

Dennis Brinkrolf

Published

2022-01-04

Updated

2024-03-06

CVE-2021-45116

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 2.2 before 2.2.26 Django versions 3.2 before 3.2.11 Django versions 4.0 before 4.0.1

Description The issue is related to the dictsort template filter in Django, which could potentially lead to information disclosure or an unintended method call if passed a suitably crafted key. This is due to the leveraging of the Django Template Language's variable resolution logic. The vulnerability may allow a remote attacker to obtain confidential system information.

Recommendations For Django versions 2.2 before 2.2.26, update to version 2.2.26 or later. For Django versions 3.2 before 3.2.11, update to version 3.2.11 or later. For Django versions 4.0 before 4.0.1, update to version 4.0.1 or later. As a temporary workaround, consider restricting the use of the dictsort template filter until a patch is available.

Fix

RCE

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-668

Related Identifiers

ALT-PU-2022-1075

ALT-PU-2022-1124

BDU:2022-00354

BIT-DJANGO-2021-45116

CVE-2021-45116

DLA-3177-1

GHSA-8C5J-9R9F-C6W8

MGASA-2022-0011

OESA-2022-1530

OESA-2022-2055

OPENSUSE-SU-2023:0005-1

PYSEC-2022-2

RHSA-2022:5498

RLSA-2022:5498

SUSE-SU-2022:0102-1

SUSE-SU-2022:0103-1

USN-5204-1

Affected Products

Alt Linux

Astra Linux

Django

Linuxmint

Red Os

Rocky Linux

Ubuntu

PT-2022-1408 · Django+6 · Django+6

CVE-2021-45116

Weakness Enumeration

Related Identifiers

Affected Products

References · 557