CVE-2021-44420
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-44420
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2022:5498
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-44420.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 3.2.10-1 | |
| sles | affected | | |
| rocky | 8 | fixed | |
| debian | bookworm | fixed | 2:3.2.10-1 |
| debian | bullseye | fixed | 2:2.2.25-1~deb11u1 |
| debian | forky | fixed | 2:3.2.10-1 |
| debian | sid | fixed | 2:3.2.10-1 |
| debian | trixie | fixed | 2:3.2.10-1 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-44420
- https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
- https://docs.djangoproject.com/en/3.2/releases/security
- https://github.com/advisories/GHSA-v6rh-hp5x-86rv
- https://github.com/django/django
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-439.yaml
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
- https://security.netapp.com/advisory/ntap-20211229-0006
- https://www.djangoproject.com/weblog/2021/dec/07/security-releases
- https://www.openwall.com/lists/oss-security/2021/12/07/1
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
- https://www.suse.com/security/cve/CVE-2021-44420.html
- https://errata.rockylinux.org/RLSA-2022:5498
- https://security-tracker.debian.org/tracker/CVE-2021-44420
Verify integrity in audit chain (admin only). AS-IS.