CVE-2021-31542

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-31542

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-31542.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-31542

Aliases

Downstream

DEBIAN-CVE-2021-31542

DLA-2651-1

DLA-3744-1

RHSA-2021:4702

RHSA-2021:5070

SUSE-SU-2021:1962-1

SUSE-SU-2021:1963-1

SUSE-SU-2021:2554-1

UBUNTU-CVE-2021-31542

USN-4932-1

USN-4932-2

openSUSE-SU-2024:11205-1

openSUSE-SU-2024:13887-1

openSUSE-SU-2024:14208-1

Related

Published

2021-05-05T15:15:08Z

Modified

2025-09-24T10:55:55.172702Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

04ac1624bdc2fa737188401757cf95ced122d26d

Fixed

25d84d64122c15050a0ee739e859f22ddab5ac48

Fixed

c98f446c188596d4ba6de71d1b77b4a6c5c2a007

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.3

1.4

1.7a1

1.7a2

2.*

2.2

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2a1

2.2b1

2.2rc1

3.*

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1a1

3.1b1

3.1rc1

3.2

3.2a1

3.2b1

3.2rc1