PYSEC-2021-8

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2021-8.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2021-8
Aliases
Published
2021-05-06T16:15:00Z
Modified
2023-12-06T00:46:11.976870Z
Summary
[none]
Details

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.22
Introduced
3.1
Fixed
3.1.10
Introduced
3.2
Fixed
3.2.2

Affected versions

2.*

2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21

3.*

3.1
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.2
3.2.1