GHSA-xgxc-v2qg-chmh
Vulnerability from github
Published
2021-04-08 18:11
Modified
2021-04-30 20:43
Severity
Summary
Directory Traversal in Django
Details
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "2.2" }, { "fixed": "2.2.20" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "3.0" }, { "fixed": "3.0.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "3.1" }, { "fixed": "3.1.8" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-28658" ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2021-04-08T18:11:26Z", "nvd_published_at": "2021-04-06T15:15:00Z", "severity": "MODERATE" }, "details": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", "id": "GHSA-xgxc-v2qg-chmh", "modified": "2021-04-30T20:43:54Z", "published": "2021-04-08T18:11:48Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28658" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/3.1/releases/security" }, { "type": "WEB", "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE" }, { "type": "WEB", "url": "https://pypi.org/project/Django" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210528-0001" }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Directory Traversal in Django" }
Loading...