CVE-2021-33571
published 2021-06-08CVE-2021-33571: In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
3.06%
85.9th percentile
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.24-1 (bookworm) | python-django 2:2.2.24-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.24 | 2.2.24 |
| djangoproject | django | >= 2.2a1 < 2.2.24 | 2.2.24 |
| djangoproject | django | >= 3.0 < 3.1.12 | 3.1.12 |
| djangoproject | django | >= 3.0a1 < 3.1.12 | 3.1.12 |
| djangoproject | django | >= 3.2 < 3.2.4 | 3.2.4 |
| djangoproject | django | >= 3.2a1 < 3.2.4 | 3.2.4 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
ghsa·2021-06-10
CVE-2021-33571 [HIGH] CWE-918 Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
OSV
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
osv·2021-06-10
CVE-2021-33571 [HIGH] Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
OSV
CVE-2021-33571: In Django 2
osv·2021-06-08·CVSS 7.5
CVE-2021-33571 [HIGH] CVE-2021-33571: In Django 2
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
OSV
python-django vulnerabilities
osv·2021-06-02·CVSS 6.1
CVE-2021-32052 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wide variety of attacks, including bypassing certain access
Ubuntu
Django vulnerabilities
vendor_ubuntu·2021-06-02·CVSS 6.1
CVE-2021-32052 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)
Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django
incorrectly handled path sanitation in admindocs. A remote attacker could
possibly use this issue to determine the existence of arbitrary files and
in certain configurations obtain their contents. (CVE-2021-33203)
It was discovered that Django incorrectly handled IPv4 addresses with
leading zeros. A remote attacker could possibly use this issue to perform a
wid
Red Hat
django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
vendor_redhat·2021-06-02·CVSS 7.5
CVE-2021-33571 [HIGH] CWE-918 django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
A flaw was found in django. Leading zeros in octal literals aren't prohibited in IP addresses. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. The highest threat from this vulnerability is to data integrity.
Statement: Red Hat Update Infrastructure is in maintenance phase and we will n
Debian
CVE-2021-33571: python-django - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidat...
vendor_debian·2021·CVSS 7.5
CVE-2021-33571 [HIGH] CVE-2021-33571: python-django - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidat...
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
Scope: local
bookworm: resolved (fixed in 2:2.2.24-1)
bullseye: resolved (fixed in 2:2.2.24-1)
forky: resolved (fixed in 2:2.2.24-1)
sid: resolved (fixed in 2:2.2.24-1)
trixie: resolved (fixed in 2:2.2.24-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://docs.djangoproject.com/en/3.2/releases/security/https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118ehttps://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3dhttps://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fchttps://groups.google.com/g/django-announce/c/sPyjSKMi8Eohttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/https://security.netapp.com/advisory/ntap-20210727-0004/https://www.djangoproject.com/weblog/2021/jun/02/security-releases/https://docs.djangoproject.com/en/3.2/releases/security/https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118ehttps://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3dhttps://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fchttps://groups.google.com/g/django-announce/c/sPyjSKMi8Eohttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/https://security.netapp.com/advisory/ntap-20210727-0004/https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
2021-06-08
Published