CVE-2021-44420

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-44420
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44420.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-44420
Aliases
Related
Published
2021-12-08T00:15:07Z
Modified
2024-10-12T08:37:42.659259Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

References

Affected packages

Debian:11 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.25-1~deb11u1

Affected versions

2:2.*

2:2.2.24-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:3.2.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:3.2.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
635d53a86a36cde7866b9caefeb64d809e6bfcd9
Fixed
79d8dcefb2739176839fa76f8780aca5aa9b7101

Affected versions

2.*

2.2
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.2
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9