ghsa-v6rh-hp5x-86rv
Vulnerability from github
Published
2021-12-09 19:09
Modified
2022-02-14 22:20
Severity
Summary
Potential bypass of an upstream access control based on URL paths in Django
Details
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.2.25" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "3.0" }, { "fixed": "3.1.14" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "PyPI", "name": "Django" }, "ranges": [ { "events": [ { "introduced": "3.2" }, { "fixed": "3.2.10" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-44420" ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-12-09T17:35:08Z", "nvd_published_at": "2021-12-08T00:15:00Z", "severity": "HIGH" }, "details": "In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.", "id": "GHSA-v6rh-hp5x-86rv", "modified": "2022-02-14T22:20:29Z", "published": "2021-12-09T19:09:37Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44420" }, { "type": "WEB", "url": "https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6" }, { "type": "WEB", "url": "https://docs.djangoproject.com/en/3.2/releases/security" }, { "type": "PACKAGE", "url": "https://github.com/django/django" }, { "type": "WEB", "url": "https://groups.google.com/forum/#!forum/django-announce" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211229-0006" }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2021/dec/07/security-releases" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2021/12/07/1" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Potential bypass of an upstream access control based on URL paths in Django" }
Loading...