CVE-2021-44420

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-44420
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44420.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-44420
Aliases
Downstream
Related
Published
2021-12-08T00:15:07.757Z
Modified
2026-04-16T04:34:20.728522806Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
[none]
Details

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
2a62cdcfec85938f40abb2e9e6a9ff497e02afe8
Fixed
79d8dcefb2739176839fa76f8780aca5aa9b7101
Introduced
0b8a0296bfd30748f08021834e95cdae241686e8
Fixed
840bebf1eef1c2a373158262cdfec611dc535658
Introduced
3591e1c1acbd7c13174275367c3fdf012cb0413b
Fixed
0153a63a674937e4a56d9d5e4ca2d629b011fbde
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
36b5f39d9372147f0e758f590e35ee2b2bc317dd
Database specific 
{
    "versions": [
        {
            "introduced": "2.2"
        },
        {
            "fixed": "2.2.25"
        },
        {
            "introduced": "3.1"
        },
        {
            "fixed": "3.1.14"
        },
        {
            "introduced": "3.2"
        },
        {
            "fixed": "3.2.10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.0"
        }
    ]
}

Affected versions

1.*
1.0
1.1
1.2
1.2.1
1.3
1.4
1.7a2
2.*
2.2
2.2.1
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.2
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2a1
2.2b1
2.2rc1
3.*
3.1
3.1.1
3.1.10
3.1.11
3.1.12
3.1.13
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1a1
3.1b1
3.1rc1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2a1
3.2b1
3.2rc1
6.*
6.0
6.0a1
6.0b1
6.0rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44420.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "20.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "21.04"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "21.10"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    }
]