BIT-django-2021-44420

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2021-44420.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-django-2021-44420

Aliases

CVE-2021-44420
GHSA-v6rh-hp5x-86rv
PYSEC-2021-439

Published

2024-03-06T10:54:09.079Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

References

https://docs.djangoproject.com/en/3.2/releases/security/
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://security.netapp.com/advisory/ntap-20211229-0006/
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://www.openwall.com/lists/oss-security/2021/12/07/1

Affected packages

Bitnami / django

Package

Name: django
Purl: pkg:bitnami/django

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

2.2.0

Fixed

2.2.25

Introduced

3.1.0

Fixed

3.1.14

Introduced

3.2.0

Fixed

3.2.10