CVE-2021-33571 — Server-Side Request Forgery in Django

CWE-918 — Server-Side Request Forgery8 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 90.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Fedoraproject Fedora

Timeline

PublishedJun 8

Latest updateJun 10

Description

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.24+2

▶PyPIdjangoproject/django2.2a1 — 2.2.24+2

Also affects: Fedora 35

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks↗2021-06-10

▶

OSV

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks↗2021-06-10

▶

OSV

CVE-2021-33571: In Django 2↗2021-06-08

▶

CVEList

CVE-2021-33571: In Django 2↗2021-06-08

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2021-06-02

▶

Red Hat

django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses↗2021-06-02

▶

Debian

CVE-2021-33571: python-django - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidat...↗2021

▶