Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2676-1:081FA
HistoryJun 05, 2021 - 9:58 a.m.

[SECURITY] [DLA 2676-1] python-django security update

2021-06-0509:58:58
lists.debian.org
73
JSON

Debian LTS Advisory DLA-2676-1 [email protected]
https://www.debian.org/lts/security/ Chris Lamb
June 05, 2021 https://wiki.debian.org/LTS

Package : python-django
Version : 1:1.10.7-2+deb9u14
CVE IDs : CVE-2021-33203 CVE-2021-33571
Debian Bug : #989394

Two issues were discovered in Django, the Python-based web
development framework:

  • CVE-2021-33203: Potential directory traversal via admindocs

    Staff members could use the admindocs TemplateDetailView view to
    check the existence of arbitrary files. Additionally, if (and only
    if) the default admindocs templates have been customized by the
    developers to also expose the file contents, then not only the
    existence but also the file contents would have been exposed.

    As a mitigation, path sanitation is now applied and only files
    within the template root directories can be loaded.

    This issue has low severity, according to the Django security
    policy.

    Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from
    the CodeQL Python team for the report.

  • CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks
    since validators accepted leading zeros in IPv4 addresses

    URLValidator, validate_ipv4_address(), and
    validate_ipv46_address() didn't prohibit leading zeros in octal
    literals. If you used such values you could suffer from
    indeterminate SSRF, RFI, and LFI attacks.

    validate_ipv4_address() and validate_ipv46_address() validators
    were not affected on Python 3.9.5+.

    This issue has medium severity, according to the Django security
    policy.

For Debian 9 "Stretch", this problem has been fixed in version
1:1.10.7-2+deb9u14.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Related

archlinux 1
nessus 9
openvas 8
osv 12
ubuntu 2
redhat 3
debian 1
veracode 2
debiancve 2
cve 2
github 2
prion 2
redhatcve 2
alpinelinux 2
altlinux 2
ubuntucve 2
mageia 1
fedora 1
oraclelinux 1
sonarsource 1
archlinux
archlinux
[ASA-202106-41] python-django: multiple issues
2021-06-15 00:00:00
nessus
nessus
Debian DLA-2676-1 : python-django security update
2021-06-07 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS : Django vulnerabilities (USN-4975-1)
2021-06-02 00:00:00
RHEL 8 : Red Hat OpenStack Platform 16.2 (python-django20) (RHSA-2021:3490)
2022-09-15 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-2676-1)
2021-06-06 00:00:00
Django < 2.2.24, 3.0 < 3.1.12, 3.2 < 3.2.4 Multiple Vulnerabilities - Linux
2021-06-09 00:00:00
Django < 2.2.24, 3.0 < 3.1.12, 3.2 < 3.2.4 Multiple Vulnerabilities - Windows
2021-06-09 00:00:00
osv
osv
python-django - security update
2021-06-05 00:00:00
python-django vulnerabilities
2021-06-02 10:49:04
python-django - security update
2024-02-29 00:00:00
ubuntu
ubuntu
Django vulnerabilities
2021-06-02 00:00:00
Django vulnerability
2021-06-07 00:00:00
redhat
redhat
(RHSA-2021:3490) Moderate: Red Hat OpenStack Platform 16.2 (python-django20) security update
2021-09-15 06:28:49
(RHSA-2021:5070) Moderate: Red Hat OpenStack Platform 16.1 (python-django20) security update
2021-12-09 19:50:28
(RHSA-2021:4702) Moderate: Satellite 6.10 Release
2021-11-16 13:58:57
debian
debian
[SECURITY] [DLA 3744-1] python-django security update
2024-02-29 19:11:46
veracode
veracode
Server-Side Request Forgery (SSRF)
2021-06-03 04:29:52
Directory Traversal
2021-06-03 05:59:43
debiancve
debiancve
CVE-2021-33571
2021-06-08 18:15:00
CVE-2021-33203
2021-06-08 18:15:00
cve
cve
CVE-2021-33571
2021-06-08 18:15:00
CVE-2021-33203
2021-06-08 18:15:00
github
github
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
2021-06-10 17:21:12
Path Traversal in Django
2021-06-10 17:21:00
prion
prion
Improper access control
2021-06-08 18:15:00
Directory traversal
2021-06-08 18:15:00
redhatcve
redhatcve
CVE-2021-33571
2021-06-02 17:45:24
CVE-2021-33203
2021-06-02 17:52:19
alpinelinux
alpinelinux
CVE-2021-33571
2021-06-08 18:15:00
CVE-2021-33203
2021-06-08 18:15:00
altlinux
altlinux
Security fix for the ALT Linux 10 package python3-module-django version 2.2.24-alt1
2021-07-13 00:00:00
Security fix for the ALT Linux 9 package python3-module-django version 2.2.24-alt1
2021-07-13 00:00:00
ubuntucve
ubuntucve
CVE-2021-33203
2021-06-02 00:00:00
CVE-2021-33571
2021-06-02 00:00:00
mageia
mageia
Updated python-django package fixes security vulnerabilities
2021-07-16 11:25:31
fedora
fedora
[SECURITY] Fedora 35 Update: python-django-3.2.12-1.fc35
2022-02-11 01:23:09
oraclelinux
oraclelinux
ol-automation-manager security update
2022-04-27 00:00:00
sonarsource
sonarsource
10 Unknown Security Pitfalls for Python
2021-11-16 00:00:00
JSON
Related for DEBIAN:DLA-2676-1:081FA
archlinux1nessus9openvas8osv12ubuntu2redhat3debian1veracode2debiancve2cve2github2prion2redhatcve2alpinelinux2altlinux2ubuntucve2mageia1fedora1oraclelinux1sonarsource1