CVE-2021-28658
published 2021-04-06CVE-2021-28658: In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file…
PriorityP434medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
3.86%
88.9th percentile
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:2.2.20-1 (bookworm) | python-django 2:2.2.20-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.20 | 2.2.20 |
| djangoproject | django | >= 2.2a1 < 2.2.20 | 2.2.20 |
| djangoproject | django | >= 3.0 < 3.0.14 | 3.0.14 |
| djangoproject | django | >= 3.0a1 < 3.0.14 | 3.0.14 |
| djangoproject | django | >= 3.1 < 3.1.8 | 3.1.8 |
| djangoproject | django | >= 3.1a1 < 3.1.8 | 3.1.8 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
django: potential directory-traversal via uploaded files
vendor_redhat·2021-04-06·CVSS 5.3
CVE-2021-28658 [MEDIUM] CWE-22 django: potential directory-traversal via uploaded files
django: potential directory-traversal via uploaded files
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
A flaw was found in Django. This flaw allows an attacker to upload specially-named files and exploit a flaw in the `MultiPartParser()` function to traverse directories. The highest threat from this vulnerability is to confidentiality.
Statement: Although Red Hat Ansible Tower ships the flawed code, it does not use the vulnerable function i.e. "MultiPartParser" and therefore will not be updated.
Red Hat Update Infrastructure ship affected version of python-django however RHUI v3 is in maintenance suppor
Ubuntu
Django vulnerability
vendor_ubuntu·2021-04-06
CVE-2021-28658 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to overwrite files.
Dennis Brinkrolf discovered that Django incorrectly handled certain
filenames. A remote attacker could possibly use this issue to create or
overwrite files in unexpected directories.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2021-28658: python-django - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartP...
vendor_debian·2021·CVSS 5.3
CVE-2021-28658 [MEDIUM] CVE-2021-28658: python-django - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartP...
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Scope: local
bookworm: resolved (fixed in 2:2.2.20-1)
bullseye: resolved (fixed in 2:2.2.20-1)
forky: resolved (fixed in 2:2.2.20-1)
sid: resolved (fixed in 2:2.2.20-1)
trixie: resolved (fixed in 2:2.2.20-1)
GHSA
Directory Traversal in Django
ghsa·2021-04-08
CVE-2021-28658 [MEDIUM] CWE-22 Directory Traversal in Django
Directory Traversal in Django
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
OSV
Directory Traversal in Django
osv·2021-04-08
CVE-2021-28658 [MEDIUM] Directory Traversal in Django
Directory Traversal in Django
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
OSV
CVE-2021-28658: In Django 2
osv·2021-04-06·CVSS 5.3
CVE-2021-28658 [MEDIUM] CVE-2021-28658: In Django 2
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/3.1/releases/security/https://groups.google.com/g/django-announce/c/ePr5j-ngdPUhttps://lists.debian.org/debian-lts-announce/2021/04/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/https://security.netapp.com/advisory/ntap-20210528-0001/https://www.djangoproject.com/weblog/2021/apr/06/security-releases/https://docs.djangoproject.com/en/3.1/releases/security/https://groups.google.com/g/django-announce/c/ePr5j-ngdPUhttps://lists.debian.org/debian-lts-announce/2021/04/msg00008.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/https://security.netapp.com/advisory/ntap-20210528-0001/https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
2021-04-06
Published