CVE-2021-33571: Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks

June 10, 2021 (updated September 20, 2024)

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

References

docs.djangoproject.com/en/3.2/releases/security
github.com/advisories/GHSA-p99v-5w3c-jqq9
github.com/django/django
github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-99.yaml
groups.google.com/g/django-announce/c/sPyjSKMi8Eo
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
nvd.nist.gov/vuln/detail/CVE-2021-33571
security.netapp.com/advisory/ntap-20210727-0004
www.djangoproject.com/weblog/2021/jun/02/security-releases

Detect and mitigate CVE-2021-33571 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →