[ASA-202106-41] python-django: multiple issues
santiago at archlinux.org
Thu Jun 17 16:28:20 UTC 2021
Arch Linux Security Advisory ASA-202106-41
Date : 2021-06-15
CVE-ID : CVE-2021-33203 CVE-2021-33571
Package : python-django
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2026
The package python-django before version 3.2.4-1 is vulnerable to
multiple issues including insufficient validation and directory
Upgrade to 3.2.4-1.
# pacman -Syu "python-django>=3.2.4-1"
The problems have been fixed upstream in version 3.2.4.
- CVE-2021-33203 (directory traversal)
A security issue has been found in Django before version 3.2.4. Staff
members could use the admindocs TemplateDetailView view to check the
existence of arbitrary files. Additionally, if (and only if) the
default admindocs templates have been customized by the developers to
also expose the file contents, then not only the existence but also the
file contents would have been exposed.
- CVE-2021-33571 (insufficient validation)
A security issue has been found in Django before version 3.2.4.
URLValidator, validate_ipv4_address(), and validate_ipv46_address()
didn't prohibit leading zeros in octal literals. If you used such
values you could suffer from indeterminate SSRF, RFI, and LFI attacks.
validate_ipv4_address() and validate_ipv46_address() validators were
not affected on Python 3.9.5+.
User accounts with staff privileges could check for the existence of
arbitrary files, and possibly disclose their contents. Additionally,
leading zeros in IPv4 addresses could be used to bypass IP-based access
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security