CVE-2021-44420 — Improper Authentication in Django

CWE-287 — Improper Authentication CWE-290 — Authentication Bypass by Spoofing8 documents7 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 69.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Canonical Ubuntu Linux Debian Linux +2 more

Timeline

PublishedDec 8

Latest updateDec 9

Description

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

▶NVDdjangoproject/django2.2 — 2.2.25+2

▶PyPIdjangoproject/django2.2a1 — 2.2.25+2

▶NVDredhat/satellite6.0

Also affects: Debian Linux 10.0, 11.0, Fedora 35, Ubuntu Linux 20.04, 21.04, 21.10

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Potential bypass of an upstream access control based on URL paths in Django↗2021-12-09

▶

GHSA

Potential bypass of an upstream access control based on URL paths in Django↗2021-12-09

▶

OSV

CVE-2021-44420: In Django 2↗2021-12-08

▶

CVEList

CVE-2021-44420: In Django 2↗2021-12-07

▶

📋Vendor Advisories

Red Hat

django: potential bypass of an upstream access control based on URL paths↗2021-12-07

▶

Ubuntu

Django vulnerability↗2021-12-07

▶

Debian

CVE-2021-44420: python-django - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requ...↗2021

▶