CVE-2021-32052

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32052
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32052.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-32052
Aliases
Related
Published
2021-05-06T16:15:07Z
Modified
2024-10-12T07:34:12.033410Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

References

Affected packages

Debian:11 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.22-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.22-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.22-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Type
GIT
Repo
https://github.com/python/cpython
Events

Affected versions

2.*

2.2
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.2
2.2.20
2.2.21
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9

v3.*

v3.1.1
v3.1.1rc1
v3.1.2
v3.1.2rc1
v3.1.3
v3.1.3rc1
v3.1.4
v3.1.4rc1
v3.2
v3.2.1
v3.2.1b1
v3.2.1rc1
v3.2.1rc2
v3.2.2rc1