CVE-2021-33571
Aliases:GHSA-p99v-5w3c-jqq9BIT-django-2021-33571PYSEC-2021-99
Advisory lineage Upstream: 0 Downstream: 17
Modified
Published: 08 Jun 2021, 00:00
Last modified:03 Aug 2024, 23:50
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
08 Jun 2021, 00:00
Published
Vulnerability first disclosed
03 Aug 2024, 23:50
Last Modified
Vulnerability information updated
Description
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
CVSS Metrics
- v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.01%• Percentile: 3%
Techniques & Countermeasures
- CWE-918•Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Affected Systems
- djangoproject•django
≥ 2.2, < 2.2.24 | ≥ 3.0, < 3.1.12 | ≥ 3.2, < 3.2.4
- fedoraproject•fedora
35
- PyPI•django
≥ 2.2a1, < 2.2.24 | ≥ 3.0a1, < 3.1.12 | ≥ 3.2a1, < 3.2.4 | ≥ 3.2, < 3.2.4
References (17)
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
- https://security.netapp.com/advisory/ntap-20210727-0004/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
- https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
- https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
- https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
- https://nvd.nist.gov/vuln/detail/CVE-2021-33571
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/advisories/GHSA-p99v-5w3c-jqq9
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-99.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20210727-0004
- https://www.djangoproject.com/weblog/2021/jun/02/security-releases