CVE-2021-44420
Published: 7 December 2021
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Notes
Author | Note |
---|---|
mdeslaur | code in bionic is different, doesn't look affected |
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
upstream |
Released
(2.2.25,3.2.10)
|
|
focal |
Released
(2:2.2.12-1ubuntu0.8)
|
|
hirsute |
Released
(2:2.2.20-1ubuntu0.3)
|
|
impish |
Released
(2:2.2.24-1ubuntu1.1)
|
|
jammy |
Released
(2:3.2.11-1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |