github - GHSA-xgxc-v2qg-chmh

GHSA-xgxc-v2qg-chmh

Vulnerability from github

Published

2021-04-08 18:11

Modified

2021-04-30 20:43

Severity

5.3 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Directory Traversal in Django

Details

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-08T18:11:26Z",
    "nvd_published_at": "2021-04-06T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.",
  "id": "GHSA-xgxc-v2qg-chmh",
  "modified": "2021-04-30T20:43:54Z",
  "published": "2021-04-08T18:11:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28658"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/3.1/releases/security"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/Django"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210528-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directory Traversal in Django"
}

pysec-2021-6

Vulnerability from pysec

Published

2021-04-06 15:15

Modified

2021-05-12 08:15

Details

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.20"
            },
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.0.14"
            },
            {
              "introduced": "3.1"
            },
            {
              "fixed": "3.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.2",
        "2.2.1",
        "2.2.2",
        "2.2.3",
        "2.2.4",
        "2.2.5",
        "2.2.6",
        "2.2.7",
        "2.2.8",
        "2.2.9",
        "2.2.10",
        "2.2.11",
        "2.2.12",
        "2.2.13",
        "2.2.14",
        "2.2.15",
        "2.2.16",
        "2.2.17",
        "2.2.18",
        "2.2.19",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.0.3",
        "3.0.4",
        "3.0.5",
        "3.0.6",
        "3.0.7",
        "3.0.8",
        "3.0.9",
        "3.0.10",
        "3.0.11",
        "3.0.12",
        "3.0.13",
        "3.1",
        "3.1.1",
        "3.1.2",
        "3.1.3",
        "3.1.4",
        "3.1.5",
        "3.1.6",
        "3.1.7"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28658",
    "GHSA-xgxc-v2qg-chmh"
  ],
  "details": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.",
  "id": "PYSEC-2021-6",
  "modified": "2021-05-12T08:15:00Z",
  "published": "2021-04-06T15:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xgxc-v2qg-chmh"
    }
  ]
}

cve-2021-28658

Vulnerability from cvelistv5

Published

2021-04-06 14:51

Modified

2024-08-03 21:47

Severity

Summary

References

URL	Tags
https://docs.djangoproject.com/en/3.1/releases/security/	x_refsource_MISC
https://groups.google.com/g/django-announce/c/ePr5j-ngdPU	x_refsource_MISC
https://www.djangoproject.com/weblog/2021/apr/06/security-releases/	x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html	mailing-list, x_refsource_MLIST
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/	vendor-advisory, x_refsource_FEDORA
https://security.netapp.com/advisory/ntap-20210528-0001/	x_refsource_CONFIRM

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:33.200Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
          },
          {
            "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
          },
          {
            "name": "FEDORA-2021-01044b8a59",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-28T09:06:11",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
        },
        {
          "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
        },
        {
          "name": "FEDORA-2021-01044b8a59",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28658",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.djangoproject.com/en/3.1/releases/security/",
              "refsource": "MISC",
              "url": "https://docs.djangoproject.com/en/3.1/releases/security/"
            },
            {
              "name": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU",
              "refsource": "MISC",
              "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/",
              "refsource": "CONFIRM",
              "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"
            },
            {
              "name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"
            },
            {
              "name": "FEDORA-2021-01044b8a59",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28658",
    "datePublished": "2021-04-06T14:51:43",
    "dateReserved": "2021-03-17T00:00:00",
    "dateUpdated": "2024-08-03T21:47:33.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

GHSA-xgxc-v2qg-chmh

Vulnerability from github

pysec-2021-6

Vulnerability from pysec

cve-2021-28658

Vulnerability from cvelistv5

Tags