{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-28T09:06:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"}, {"name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"}, {"name": "FEDORA-2021-01044b8a59", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28658", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.djangoproject.com/en/3.1/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"name": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU", "refsource": "MISC", "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"}, {"name": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"}, {"name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"}, {"name": "FEDORA-2021-01044b8a59", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"}, {"name": "https://security.netapp.com/advisory/ntap-20210528-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:47:33.200Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"}, {"name": "[debian-lts-announce] 20210409 [SECURITY] [DLA 2622-1] python-django security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"}, {"name": "FEDORA-2021-01044b8a59", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28658", "datePublished": "2021-04-06T14:51:43", "dateReserved": "2021-03-17T00:00:00", "dateUpdated": "2024-08-03T21:47:33.200Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EF13F74-904C-46BE-89F3-0D530D89961D", "versionEndExcluding": "2.2.20", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "C5308A30-2968-42DB-88E3-9C1A546E8F4F", "versionEndExcluding": "3.0.14", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA1FCB48-4616-4383-9C3D-7C86A05F260B", "versionEndExcluding": "3.1.8", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability."}, {"lang": "es", "value": "En Django versiones 2.2 anteriores a 2.2.20, versiones 3.0 anteriores a 3.0.14 y versiones 3.1 anteriores a 3.1.8, MultiPartParser permit\u00eda un salto de directorio por medio de archivos cargados con nombres de archivo adecuadamente dise\u00f1ados. Los controladores de carga integrados no est\u00e1n afectados por esta vulnerabilidad"}], "id": "CVE-2021-28658", "lastModified": "2023-11-07T03:32:17.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-06T15:15:13.437", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210528-0001/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:5070", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-django20-0:2.0.13-16.el8ost.1", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2021-12-09T00:00:00Z"}, {"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite:6.10::el7", "package": "python3-django-0:2.2.24-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4702", "cpe": "cpe:/a:redhat:satellite_capsule:6.10::el7", "package": "python3-django-0:2.2.24-1.el7pc", "product_name": "Red Hat Satellite 6.10 for RHEL 7", "release_date": "2021-11-16T00:00:00Z"}], "bugzilla": {"description": "django: potential directory-traversal via uploaded files", "id": "1944801", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944801"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.", "A flaw was found in Django. This flaw allows an attacker to upload specially-named files and exploit a flaw in the `MultiPartParser()` function to traverse directories. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2021-28658", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "django", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2021-04-06T08:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-28658\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28658\nhttps://www.djangoproject.com/weblog/2021/apr/06/security-releases/"], "statement": "Although Red Hat Ansible Tower ships the flawed code, it does not use the vulnerable function i.e. \"MultiPartParser\" and therefore will not be updated.\nRed Hat Update Infrastructure ship affected version of python-django however RHUI v3 is in maintenance support phase and we are only fixing critical and important fixes. Please refer RHUI support lifecycle page for more information: https://access.redhat.com/support/policy/updates/rhui.\nIn Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-django package.", "threat_severity": "Moderate", "upstream_fix": "python-django 2.2, python-django 3.0, python-django 3.1, python-django 3.2"}