UBUNTU-CVE-2021-33203

See a problem?

Source

https://ubuntu.com/security/notices/UBUNTU-CVE-2021-33203

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-33203.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-33203

Related

Published

2021-06-02T09:00:00Z

Modified

2021-06-02T09:00:00Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

References

Affected packages

Ubuntu:Pro:16.04:LTS / python-django

Package

Name: python-django
Purl: pkg:deb/ubuntu/python-django@1.8.7-1ubuntu5.15+esm3?arch=src?distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.7-1ubuntu5.15+esm3

Affected versions

1.*

1.7.9-1ubuntu5

1.8.5-2ubuntu1

1.8.7-1ubuntu1

1.8.7-1ubuntu2

1.8.7-1ubuntu3

1.8.7-1ubuntu4

1.8.7-1ubuntu5

1.8.7-1ubuntu5.1

1.8.7-1ubuntu5.2

1.8.7-1ubuntu5.4

1.8.7-1ubuntu5.5

1.8.7-1ubuntu5.6

1.8.7-1ubuntu5.7

1.8.7-1ubuntu5.8

1.8.7-1ubuntu5.9

1.8.7-1ubuntu5.10

1.8.7-1ubuntu5.11

1.8.7-1ubuntu5.12

1.8.7-1ubuntu5.13

1.8.7-1ubuntu5.14

1.8.7-1ubuntu5.15

1.8.7-1ubuntu5.15+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "python-django-common": "1.8.7-1ubuntu5.15+esm3",
            "python-django-doc": "1.8.7-1ubuntu5.15+esm3",
            "python-django": "1.8.7-1ubuntu5.15+esm3",
            "python3-django": "1.8.7-1ubuntu5.15+esm3"
        }
    ]
}

Ubuntu:18.04:LTS / python-django

Package

Name: python-django
Purl: pkg:deb/ubuntu/python-django@1:1.11.11-1ubuntu1.14?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.11.11-1ubuntu1.14

Affected versions

1:1.*

1:1.11.4-1ubuntu1

1:1.11.6-1ubuntu1

1:1.11.9-1ubuntu1

1:1.11.11-1ubuntu1

1:1.11.11-1ubuntu1.1

1:1.11.11-1ubuntu1.2

1:1.11.11-1ubuntu1.3

1:1.11.11-1ubuntu1.4

1:1.11.11-1ubuntu1.5

1:1.11.11-1ubuntu1.6

1:1.11.11-1ubuntu1.7

1:1.11.11-1ubuntu1.8

1:1.11.11-1ubuntu1.9

1:1.11.11-1ubuntu1.10

1:1.11.11-1ubuntu1.11

1:1.11.11-1ubuntu1.12

1:1.11.11-1ubuntu1.13

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "python-django-common": "1:1.11.11-1ubuntu1.14",
            "python-django-doc": "1:1.11.11-1ubuntu1.14",
            "python-django": "1:1.11.11-1ubuntu1.14",
            "python3-django": "1:1.11.11-1ubuntu1.14"
        }
    ]
}

Ubuntu:20.04:LTS / python-django

Package

Name: python-django
Purl: pkg:deb/ubuntu/python-django@2:2.2.12-1ubuntu0.7?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:2.2.12-1ubuntu0.7

Affected versions

1:1.*

1:1.11.22-1ubuntu1

2:2.*

2:2.2.6-1ubuntu1

2:2.2.9-2ubuntu1

2:2.2.10-1

2:2.2.10-1ubuntu1

2:2.2.11-1

2:2.2.12-1

2:2.2.12-1ubuntu0.1

2:2.2.12-1ubuntu0.2

2:2.2.12-1ubuntu0.3

2:2.2.12-1ubuntu0.4

2:2.2.12-1ubuntu0.5

2:2.2.12-1ubuntu0.6

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "python-django-doc": "2:2.2.12-1ubuntu0.7",
            "python3-django": "2:2.2.12-1ubuntu0.7"
        }
    ]
}