CVE-2021-3281 — Path Traversal in Django

CWE-22 — Path Traversal10 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

36.2%

top 2.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Fedoraproject Fedora

Timeline

PublishedFeb 2

Latest updateNov 21

Description

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.18+2

▶PyPIdjangoproject/django2.2 — 2.2.18+2

Also affects: Fedora 33

Patches

Patch: docs.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Directory Traversal via archive.extract↗2021-03-18

▶

GHSA

Django Directory Traversal via archive.extract↗2021-03-18

▶

OSV

CVE-2021-3281: In Django 2↗2021-02-02

▶

CVEList

CVE-2021-3281: In Django 2↗2021-02-02

▶

📋Vendor Advisories

Red Hat

django: Potential directory-traversal via archive.extract()↗2021-02-01

▶

Ubuntu

Django vulnerability↗2021-02-01

▶

Ubuntu

Django vulnerability↗2021-02-01

▶

Debian

CVE-2021-3281: python-django - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django...↗2021

▶

💬Community

HackerOne

Path traversal via archive.extract - CVE 2021-3281 incomplete patch↗2025-11-21

▶