CVE-2021-32052

Published: 06 May 2021

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
Upstream
Released (2:2.2.22-1)
Ubuntu 21.04 (Hirsute Hippo)
Released (2:2.2.20-1ubuntu0.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2:2.2.12-1ubuntu0.7)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:1.11.11-1ubuntu1.13)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable