CVE-2021-44420: Potential bypass of an upstream access control based on URL paths in Django
(updated )
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
References
- docs.djangoproject.com/en/3.2/releases/security
- github.com/advisories/GHSA-v6rh-hp5x-86rv
- github.com/django/django
- github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-439.yaml
- groups.google.com/forum/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- nvd.nist.gov/vuln/detail/CVE-2021-44420
- security.netapp.com/advisory/ntap-20211229-0006
- www.djangoproject.com/weblog/2021/dec/07/security-releases
- www.openwall.com/lists/oss-security/2021/12/07/1
Code Behaviors & Features
Detect and mitigate CVE-2021-44420 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →