Lucene search

K

GoogleOSV:GHSA-RXJP-MFM9-W4WR

HistoryJun 04, 2021 - 9:15 p.m.

Path Traversal in Django

2021-06-0421:15:56

Google

osv.dev

15

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.0%

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

CPENameOperatorVersion
djangoeq3.0.14
djangoeq2.2.11
djangoeq3.1.5
djangoeq3.0.1
djangoeq2.2.8
djangoeq3.1.6
djangoeq3.0.7
djangoeq3.2
djangoeq3.0.3
djangoeq3.1.1

Rows per page:

1-10 of 491

References

www.openwall.com/lists/oss-security/2021/05/04/3

docs.djangoproject.com/en/3.2/releases/security

github.com/django/django

github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d

github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48

github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007

groups.google.com/forum/#!forum/django-announce

groups.google.com/forum/#%21forum/django-announce

lists.debian.org/debian-lts-announce/2021/05/msg00005.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE

lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV

lists.fedoraproject.org/archives/list/[email protected]/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE

nvd.nist.gov/vuln/detail/CVE-2021-31542

security.netapp.com/advisory/ntap-20210618-0001

www.djangoproject.com/weblog/2021/may/04/security-releases

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.0%

Related for OSV:GHSA-RXJP-MFM9-W4WR

nessus8 freebsd1 ubuntucve1 cve1 osv7 redhatcve1 openvas9 prion1 debiancve1 github1 debian2 veracode1 ubuntu2 cvelist1 fedora2 altlinux2 redhat2 mageia1 oraclelinux1