Explore top 10 tips to secure your open-source projects now. Read More
×
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with suitably
crafted file names. Built-in upload handlers were not affected by this
vulnerability (CVE-2021-28658).
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1,
MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via
uploaded files with suitably crafted file names (CVE-2021-31542).
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with
Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the
URLField form field is used). If an application uses values with newlines in
an HTTP response, header injection can occur. Django itself is unaffected
because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential
directory traversal via django.contrib.admindocs. Staff members could use the
...
- https://bugs.mageia.org/show_bug.cgi?id=28802
- https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
- https://www.djangoproject.com/weblog/2021/may/04/security-releases/
- https://www.djangoproject.com/weblog/2021/may/06/security-releases/
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
- https://docs.djangoproject.com/en/dev/releases/3.1.8/
- https://docs.djangoproject.com/en/dev/releases/3.1.9/
- https://docs.djangoproject.com/en/dev/releases/3.1.10/
- https://docs.djangoproject.com/en/dev/releases/3.1.11/
- https://docs.djangoproject.com/en/dev/releases/3.1.12/
- https://docs.djangoproject.com/en/dev/releases/3.1.13/
- https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
- https://ubuntu.com/security/notices/USN-4902-1
- https://ubuntu.com/security/notices/USN-4932-1
- https://ubuntu.com/security/notices/USN-4975-1
- https://www.cve.org/CVERecord?id=CVE-2021-28658
- https://www.cve.org/CVERecord?id=CVE-2021-31542
- https://www.cve.org/CVERecord?id=CVE-2021-32052
- https://www.cve.org/CVERecord?id=CVE-2021-33203
- https://www.cve.org/CVERecord?id=CVE-2021-33571
- https://www.cve.org/CVERecord?id=CVE-2021-35042
- 8/core/python-django-3.1.13-1.mga8
Get the latest Linux and open source security news straight to your inbox.