CVE-2021-31542

high

Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

References

https://www.djangoproject.com/weblog/2021/may/04/security-releases/

https://security.netapp.com/advisory/ntap-20210618-0001/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html

https://groups.google.com/forum/#%21forum/django-announce

https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007

https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48

https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d

https://docs.djangoproject.com/en/3.2/releases/security/

http://www.openwall.com/lists/oss-security/2021/05/04/3

Details

Source: Mitre, NVD

Published: 2021-05-05

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N