Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202102-28: python-django: url request injection

    Date 22 Feb 2021
    Posted By LinuxSecurity Advisories
    The package python-django before version 3.1.7-1 is vulnerable to url request injection.
    Arch Linux Security Advisory ASA-202102-28
    Severity: Medium
    Date    : 2021-02-20
    CVE-ID  : CVE-2021-23336
    Package : python-django
    Type    : url request injection
    Remote  : Yes
    Link    :
    The package python-django before version 3.1.7-1 is vulnerable to url
    request injection.
    Upgrade to 3.1.7-1.
    # pacman -Syu "python-django>=3.1.7-1"
    The problem has been fixed upstream in version 3.1.7.
    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and
    before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2
    are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and
    urllib.parse.parse_qs by using a vector called parameter cloaking. When
    the attacker can separate query parameters using a semicolon (;), they
    can cause a difference in the interpretation of the request between the
    proxy (running with default configuration) and the server. This can
    result in malicious requests being cached as completely safe ones, as
    the proxy would usually not see the semicolon as a separator, and
    therefore would not include it in a cache key of an unkeyed parameter.
    The package python-django contains a copy of urllib.parse.parse_qsl()
    which was added to backport some security fixes. A further security fix
    has been issued in versions 3.1.7, 3.0.13 and 2.2.19 such that
    parse_qsl() no longer allows using ; as a query parameter separator by
    A remote attacker is able to insert malicious requests in the web proxy

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.