cbcvebase.
CVE-2021-44420
published 2021-12-08

CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based…

PriorityP345high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
2.30%
81.1th percentile
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Affected

14 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianpython-django< python-django 2:3.2.10-1 (bookworm)python-django 2:3.2.10-1 (bookworm)
djangoprojectdjango>= 2.2 < 2.2.252.2.25
djangoprojectdjango>= 2.2a1 < 2.2.252.2.25
djangoprojectdjango>= 3.0a1 < 3.1.143.1.14
djangoprojectdjango>= 3.1 < 3.1.143.1.14
djangoprojectdjango>= 3.2 < 3.2.103.2.10
djangoprojectdjango>= 3.2a1 < 3.2.103.2.10
fedoraprojectfedora
redhatsatellite

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.3HIGH
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.