CVE-2021-45116: Information disclosure in Django
(updated )
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language’s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
References
- docs.djangoproject.com/en/4.0/releases/security
- github.com/advisories/GHSA-8c5j-9r9f-c6w8
- github.com/django/django
- github.com/django/django/commit/2a8ec7f546d6d5806e221ec948c5146b55bd7489
- github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16
- github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-2.yaml
- groups.google.com/forum/
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- nvd.nist.gov/vuln/detail/CVE-2021-45116
- security.netapp.com/advisory/ntap-20220121-0005
- www.djangoproject.com/weblog/2022/jan/04/security-releases
Detect and mitigate CVE-2021-45116 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →