CVE-2021-32052Cross-site Scripting in Django

CWE-79Cross-site ScriptingCWE-20Improper Input ValidationCWE-88Argument Injection13 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
2.6%
top 14.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Djangoproject DjangoFedoraproject Fedora
Timeline
PublishedMay 6
Latest updateApr 11

Description

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDdjangoproject/django2.22.2.22+2
PyPIdjangoproject/django2.22.2.22+2

Also affects: Fedora 34

Patches

Patch: www.openwall.comPatch: docs.djangoproject.comPatch: www.djangoproject.com

🔴Vulnerability Details

7
OSV
python-django vulnerabilities2022-04-11
OSV
python-django vulnerabilities2022-04-11
OSV
Header injection possible in Django2021-06-09
GHSA
Header injection possible in Django2021-06-09
OSV
python-django vulnerabilities2021-06-02

📋Vendor Advisories

5
Ubuntu
Django vulnerabilities2022-04-11
Ubuntu
Django vulnerabilities2022-04-11
Ubuntu
Django vulnerabilities2021-06-02
Red Hat
django: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+2021-05-06
Debian
CVE-2021-32052: python-django - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Pytho...2021
CVE-2021-32052 — Cross-site Scripting in Django | cvebase