GoogleOSV:GHSA-V6RH-HP5X-86RVPotential bypass of an upstream access control based on URL paths in Django
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
43.7%
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
References
docs.djangoproject.com/en/3.2/releases/security
github.com/django/django
github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
groups.google.com/forum/#!forum/django-announce
lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
nvd.nist.gov/vuln/detail/CVE-2021-44420
security.netapp.com/advisory/ntap-20211229-0006
www.djangoproject.com/weblog/2021/dec/07/security-releases
www.openwall.com/lists/oss-security/2021/12/07/1
Related
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
43.7%