Lucene search

K
archlinuxArchLinuxASA-202102-18
HistoryFeb 07, 2021 - 12:00 a.m.

[ASA-202102-18] python-django: directory traversal

2021-02-0700:00:00
security.archlinux.org
123

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

49.9%

Arch Linux Security Advisory ASA-202102-18

Severity: Low
Date : 2021-02-07
CVE-ID : CVE-2021-3281
Package : python-django
Type : directory traversal
Remote : No
Link : https://security.archlinux.org/AVG-1518

Summary

The package python-django before version 3.1.6-1 is vulnerable to
directory traversal.

Resolution

Upgrade to 3.1.6-1.

pacman -Syu “python-django>=3.1.6-1”

The problem has been fixed upstream in version 3.1.6.

Workaround

None.

Description

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6,
the django.utils.archive.extract method (used by “startapp --template”
and “startproject --template”) allows directory traversal via an
archive with absolute paths or relative paths with dot segments.

Impact

An attacker might be able to write files in arbitrary file system
locations by tricking the user to select a crafted template file that
leads to directory traversal.

References

https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
https://security.archlinux.org/CVE-2021-3281

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypython-django< 3.1.6-1UNKNOWN

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

49.9%