CVE-2021-44420
Published: 7 December 2021
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Notes
| Author | Note |
|---|---|
| mdeslaur | code in bionic is different, doesn't look affected |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-django Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Released
(2:2.2.12-1ubuntu0.8)
|
|
| hirsute |
Released
(2:2.2.20-1ubuntu0.3)
|
|
| impish |
Released
(2:2.2.24-1ubuntu1.1)
|
|
| jammy |
Released
(2:3.2.11-1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(2.2.25,3.2.10)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |