CVE-2021-45452 — Path Traversal in Django

CWE-22 — Path Traversal9 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 47.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Fedoraproject Fedora

Timeline

PublishedJan 5

Latest updateJan 12

Description

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDdjangoproject/django2.2 — 2.2.26+2

▶PyPIdjangoproject/django2.2 — 2.2.26+2

Also affects: Fedora 35

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Directory-traversal in Django↗2022-01-12

▶

OSV

Directory-traversal in Django↗2022-01-12

▶

OSV

CVE-2021-45452: Storage↗2022-01-05

▶

OSV

python-django vulnerabilities↗2022-01-05

▶

CVEList

CVE-2021-45452: Storage↗2022-01-04

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2022-01-05

▶

Red Hat

django: Potential directory-traversal via Storage.save()↗2022-01-04

▶

Debian

CVE-2021-45452: python-django - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0....↗2021

▶