Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202102-28: python-django: url request injection

    Date 22 Feb 2021
    149
    Posted By LinuxSecurity Advisories
    The package python-django before version 3.1.7-1 is vulnerable to url request injection.
    Arch Linux Security Advisory ASA-202102-28
    ==========================================
    
    Severity: Medium
    Date    : 2021-02-20
    CVE-ID  : CVE-2021-23336
    Package : python-django
    Type    : url request injection
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1593
    
    Summary
    =======
    
    The package python-django before version 3.1.7-1 is vulnerable to url
    request injection.
    
    Resolution
    ==========
    
    Upgrade to 3.1.7-1.
    
    # pacman -Syu "python-django>=3.1.7-1"
    
    The problem has been fixed upstream in version 3.1.7.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    The package python/cpython from 0 and before 3.6.13, from 3.7.0 and
    before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2
    are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and
    urllib.parse.parse_qs by using a vector called parameter cloaking. When
    the attacker can separate query parameters using a semicolon (;), they
    can cause a difference in the interpretation of the request between the
    proxy (running with default configuration) and the server. This can
    result in malicious requests being cached as completely safe ones, as
    the proxy would usually not see the semicolon as a separator, and
    therefore would not include it in a cache key of an unkeyed parameter.
    
    The package python-django contains a copy of urllib.parse.parse_qsl()
    which was added to backport some security fixes. A further security fix
    has been issued in versions 3.1.7, 3.0.13 and 2.2.19 such that
    parse_qsl() no longer allows using ; as a query parameter separator by
    default.
    
    Impact
    ======
    
    A remote attacker is able to insert malicious requests in the web proxy
    cache.
    
    References
    ==========
    
    https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933
    https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
    https://bugs.python.org/issue42967
    https://github.com/python/cpython/pull/24297
    https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92
    https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
    https://github.com/django/django/commit/8f6d431b08cbb418d9144b976e7b972546607851
    https://security.archlinux.org/CVE-2021-23336
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"22","type":"x","order":"1","pct":34.92,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"13","type":"x","order":"2","pct":20.63,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"28","type":"x","order":"3","pct":44.44,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.