TROYANOSYVIRUS
Back to CVEs

CVE-2021-31542

HIGH
7.5

Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

CVE Details

CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published5/5/2021
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0

Affected Products

debian:debian_linuxdjangoproject:djangofedoraproject:fedora

Weaknesses (CWE)

CWE-22

References

http://www.openwall.com/lists/oss-security/2021/05/04/3(cve@mitre.org)
https://docs.djangoproject.com/en/3.2/releases/security/(cve@mitre.org)
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d(cve@mitre.org)
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48(cve@mitre.org)
https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007(cve@mitre.org)
https://groups.google.com/forum/#%21forum/django-announce(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/(cve@mitre.org)
https://security.netapp.com/advisory/ntap-20210618-0001/(cve@mitre.org)
https://www.djangoproject.com/weblog/2021/may/04/security-releases/(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2021/05/04/3(af854a3a-2127-422b-91ae-364da2661108)
https://docs.djangoproject.com/en/3.2/releases/security/(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007(af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/forum/#%21forum/django-announce(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20210618-0001/(af854a3a-2127-422b-91ae-364da2661108)
https://www.djangoproject.com/weblog/2021/may/04/security-releases/(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.