CVE-2021-31542 — Path Traversal in Django

CWE-22 — Path Traversal CWE-434 — Unrestricted File Upload9 documents7 sources

Severity

7.5HIGHNVD

EPSS

6.9%

top 8.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Debian Linux Fedoraproject Fedora

Timeline

PublishedMay 5

Latest updateJun 4

Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.21+2

▶PyPIdjangoproject/django2.2 — 2.2.21+2

Also affects: Debian Linux 9.0, Fedora 34, 35

Patches

Patch: www.openwall.com ↗Patch: docs.djangoproject.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Path Traversal in Django↗2021-06-04

▶

GHSA

Path Traversal in Django↗2021-06-04

▶

OSV

CVE-2021-31542: In Django 2↗2021-05-05

▶

CVEList

CVE-2021-31542: In Django 2↗2021-05-05

▶

📋Vendor Advisories

Ubuntu

Django vulnerability↗2021-05-13

▶

Red Hat

django: Potential directory-traversal via uploaded files↗2021-05-04

▶

Ubuntu

Django vulnerability↗2021-05-04

▶

Debian

CVE-2021-31542: python-django - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartPa...↗2021

▶