CVE-2021-32052
published 2021-05-06CVE-2021-32052: In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
3.15%
86.3th percentile
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.22-1 (bookworm) | python-django 2:2.2.22-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.22 | 2.2.22 |
| djangoproject | django | >= 2.2 < 2.2.22 | 2.2.22 |
| djangoproject | django | >= 3.1 < 3.1.10 | 3.1.10 |
| djangoproject | django | >= 3.1 < 3.1.10 | 3.1.10 |
| djangoproject | django | >= 3.2 < 3.2.2 | 3.2.2 |
| djangoproject | django | >= 3.2 < 3.2.2 | 3.2.2 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
python-django vulnerabilities
osv·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 18.04
LTS. (CVE-2021-32052)
OSV
python-django vulnerabilities
osv·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
USN-5373-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. (CVE-2021-32052)
OSV
Header injection possible in Django
osv·2021-06-09
CVE-2021-32052 [MEDIUM] Header injection possible in Django
Header injection possible in Django
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
GHSA
Header injection possible in Django
ghsa·2021-06-09
CVE-2021-32052 [MEDIUM] CWE-79 Header injection possible in Django
Header injection possible in Django
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
OSV
python-django vulnerabilities
osv·2021-06-02·CVSS 6.1
CVE-2021-32052 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wide variety of attacks, including bypassing certain access
OSV
CVE-2021-32052: In Django 2
osv·2021-05-06·CVSS 6.1
CVE-2021-32052 [MEDIUM] CVE-2021-32052: In Django 2
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only aff
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-04-11·CVSS 6.1
CVE-2021-32052 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-5373-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. (CVE-2021-32052)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2021-06-02·CVSS 6.1
CVE-2021-32052 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wid
Red Hat
django: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
vendor_redhat·2021-05-06·CVSS 6.1
CVE-2021-32052 [MEDIUM] CWE-20 django: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
django: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
A flaw was found in django. On Python 3.9.5+, `URLValidator` didn't prohibited newlines and tabs which could lead to a header injection attack if these were used in an HTTP response. The highest threat from this vulnerability is to data confidentiality and integrity.
Statement: * Red Hat Gluster Storage 3 ships an old version of Django
Debian
CVE-2021-32052: python-django - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Pytho...
vendor_debian·2021·CVSS 6.1
CVE-2021-32052 [MEDIUM] CVE-2021-32052: python-django - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Pytho...
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Scope: local
bookworm: resolved (fixed in 2:2.2.22-1)
bullseye: resolved (fixed in 2:2.2.22-1)
forky: resolved (fixed in 2:2.2.22-1)
sid: resolved (fixed in 2:2.2.22-1)
trixie: resolved (fixed in 2:2.2.22-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2021/05/06/1https://docs.djangoproject.com/en/3.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/https://security.netapp.com/advisory/ntap-20210611-0002/https://www.djangoproject.com/weblog/2021/may/06/security-releases/http://www.openwall.com/lists/oss-security/2021/05/06/1https://docs.djangoproject.com/en/3.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/https://security.netapp.com/advisory/ntap-20210611-0002/https://www.djangoproject.com/weblog/2021/may/06/security-releases/
2021-05-06
Published