CVE-2021-44420

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Database specific

{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "20.04"
                },
                {
                    "last_affected": "21.04"
                },
                {
                    "last_affected": "21.10"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "canonical:ubuntu_linux",
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "10.0"
                },
                {
                    "last_affected": "11.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "vendor_product": "debian:debian_linux"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "35"
                }
            ],
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "vendor_product": "fedoraproject:fedora"
        },
        {
            "extracted_events": [
                {
                    "last_affected": "6.0"
                }
            ],
            "vendor_product": "redhat:satellite",
            "cpes": [
                "cpe:2.3:o:redhat:satellite:6.0:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING"
        }
    ]
}

References

Affected packages

Git / github.com/django/django

Affected ranges

Type

GIT

Repo

https://github.com/django/django

Events

Introduced

2a62cdcfec85938f40abb2e9e6a9ff497e02afe8

Fixed

79d8dcefb2739176839fa76f8780aca5aa9b7101

Introduced

0b8a0296bfd30748f08021834e95cdae241686e8

Fixed

840bebf1eef1c2a373158262cdfec611dc535658

Introduced

3591e1c1acbd7c13174275367c3fdf012cb0413b

Fixed

0153a63a674937e4a56d9d5e4ca2d629b011fbde

Database specific

{
    "extracted_events": [
        {
            "introduced": "2.2"
        },
        {
            "fixed": "2.2.25"
        },
        {
            "introduced": "3.1"
        },
        {
            "fixed": "3.1.14"
        },
        {
            "introduced": "3.2"
        },
        {
            "fixed": "3.2.10"
        }
    ],
    "cpe": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-44420.json"