CVE-2021-44420

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-44420

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44420.json

Aliases

BIT-django-2021-44420
GHSA-v6rh-hp5x-86rv
PYSEC-2021-439

Related

RLSA-2022:5498
USN-5178-1

Published

2021-12-08T00:15:07Z

Modified

2023-12-06T01:01:41.266810Z

Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

References

https://docs.djangoproject.com/en/3.2/releases/security/
https://security.netapp.com/advisory/ntap-20211229-0006/
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://www.openwall.com/lists/oss-security/2021/12/07/1
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Affected packages

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

635d53a86a36cde7866b9caefeb64d809e6bfcd9

Fixed

79d8dcefb2739176839fa76f8780aca5aa9b7101

Introduced

ec5bc3a991bf6f2b9afe9b1b4068e4a1e62001c2

Introduced

b6475d7d7940f3ce575e0b0f2d83e517f899b4cf

Affected versions

2.*

2.2

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.15

2.2.16

2.2.17

2.2.18

2.2.19

2.2.2

2.2.20

2.2.21

2.2.22

2.2.23

2.2.24

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9