CVE-2021-44420

Description

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

CVSS Metrics

• v4.0•MEDIUM•Score: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
• v3.1•HIGH•Score: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.12%• Percentile: 30%

Affected Systems

• canonical•ubuntu_linux

  20.04 | 21.04 | 21.10

• debian•debian_linux

  10.0 | 11.0

• djangoproject•django

  ≥ 2.2, < 2.2.25 | ≥ 3.1, < 3.1.14 | ≥ 3.2, < 3.2.10

• fedoraproject•fedora

  35

• PyPI•django

  ≥ 2.2a1, < 2.2.25 | ≥ 3.0a1, < 3.1.14 | ≥ 3.2a1, < 3.2.10 | ≥ 3.2, < 3.2.10

• redhat•satellite

  6.0

References (16)

• https://groups.google.com/forum/#%21forum/django-announce
• https://docs.djangoproject.com/en/3.2/releases/security/
• https://www.openwall.com/lists/oss-security/2021/12/07/1
• https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
• https://security.netapp.com/advisory/ntap-20211229-0006/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
• https://nvd.nist.gov/vuln/detail/CVE-2021-44420
• https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
• https://docs.djangoproject.com/en/3.2/releases/security
• https://github.com/advisories/GHSA-v6rh-hp5x-86rv
• https://github.com/django/django
• https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-439.yaml
• https://groups.google.com/forum/#!forum/django-announce
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
• https://security.netapp.com/advisory/ntap-20211229-0006
• https://www.djangoproject.com/weblog/2021/dec/07/security-releases