CVE-2021-28658

Publication date 6 April 2021

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Status

Package Ubuntu Release Status
python-django 24.10 oracular
Fixed 2:2.2.19-1ubuntu1
24.04 LTS noble
Fixed 2:2.2.19-1ubuntu1
23.10 mantic
Fixed 2:2.2.19-1ubuntu1
23.04 lunar
Fixed 2:2.2.19-1ubuntu1
22.10 kinetic
Fixed 2:2.2.19-1ubuntu1
22.04 LTS jammy
Fixed 2:2.2.19-1ubuntu1
21.10 impish
Fixed 2:2.2.19-1ubuntu1
21.04 hirsute
Fixed 2:2.2.19-1ubuntu1
20.10 groovy
Fixed 2:2.2.16-1ubuntu0.3
20.04 LTS focal
Fixed 2:2.2.12-1ubuntu0.5
18.04 LTS bionic
Fixed 1:1.11.11-1ubuntu1.12
16.04 LTS xenial
Fixed 1.8.7-1ubuntu5.15
14.04 LTS trusty Ignored end of ESM support, was needed

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

Other references