CVE-2021-3281: Django Directory Traversal via archive.extract
(updated )
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by “startapp –template” and “startproject –template”) allows directory traversal via an archive with absolute paths or relative paths with dot segments.
References
- docs.djangoproject.com/en/3.1/releases/3.0.12
- docs.djangoproject.com/en/3.1/releases/security
- github.com/advisories/GHSA-fvgf-6h6h-3322
- github.com/django/django
- github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
- github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
- github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
- github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yaml
- groups.google.com/forum/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO
- nvd.nist.gov/vuln/detail/CVE-2021-3281
- security.netapp.com/advisory/ntap-20210226-0004
- www.djangoproject.com/weblog/2021/feb/01/security-releases
Detect and mitigate CVE-2021-3281 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →