GHSA-p99v-5w3c-jqq9

Source

https://github.com/advisories/GHSA-p99v-5w3c-jqq9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-p99v-5w3c-jqq9/GHSA-p99v-5w3c-jqq9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p99v-5w3c-jqq9

Aliases

Published

2021-06-10T17:21:12Z

Modified

2024-02-17T05:27:17.121784Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

Details

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validateipv4address, and validateipv46address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validateipv4address and validateipv46address are unaffected with Python 3.9.5+..) .

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.24

Affected versions

2.*

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.20

2.2.21

2.2.22

2.2.23

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.12

Affected versions

3.*

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.1a1

3.1b1

3.1rc1

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.4

Affected versions

3.*

3.2

3.2.1

3.2.2

3.2.3