In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-0cba1bd104 advisory.

    Automatic update for python-django3-3.2.15-1.fc38.

    ##### **Changelog**

    ```
    * Tue Oct  4 2022 Michel Alexandre Salim <salimma@fedoraproject.org> -     3.2.15-1
    - Initial python-django3 release
    * Sun Oct  2 2022 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.2.9-6
    - Fork to python-django3, needed by the Mailman stack
    * Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.9-5
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
    * Fri Dec 17 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.2.9-4
    - Drop obsolete python_provide lines
    * Wed Dec 15 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.2.9-3
    - Use build-dependency generator
    - Use pyproject macros
    * Wed Dec 15 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.2.9-2
    - Drop old BR on python3-mock
    * Wed Nov 24 2021 Karolina Surma <ksurma@redhat.com> - 3.2.9-1
    - update to 3.2.9
    - unskip fixed tests
    - backport fix for building docs with python-sphinx 4.3.0
    * Wed Sep  8 2021 Matthias Runge <mrunge@redhat.com> - 3.2.7-1
    - update to 3.2.7 (rhbz#1999958)
    * Mon Aug  9 2021 Matthias Runge <mrunge@redhat.com> - 3.2.6-1
    - update to 3.2.6 (rhbz#1957630)
    - skip failing test AssertionError: Error: invalid choice: 'test'       (choose from 'foo')(rhbz#1898084)
    * Tue Jul 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.1-3
    - Second attempt - Rebuilt for       https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
    * Fri Jun  4 2021 Python Maint <python-maint@redhat.com> - 3.2.1-2
    - Rebuilt for Python 3.10
    * Tue May  4 2021 Matthias Runge <mrunge@redhat.com> - 3.2.1-1
    - rebase to 3.2.1, fixes CVE-2021-31542
    - rebase to 3.1.8 fixes CVE-2021-28658 (rbhz#1946580)
    - rebase to 3.2.1 (rhbz#1917820)
    * Fri Mar  5 2021 Matthias Runge <mrunge@redhat.com> - 3.1.7-1
    - update to 3.1.7, fix CVE-2021-23336 (rhbz#1931542)
    * Thu Feb  4 2021 Matthias Runge <mrunge@redhat.com> - 3.1.6-1
    - update to 3.1.6, fix CVE-2021-3281 (rhbz#1923734)
    * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.5-2
    - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
    * Mon Jan  4 2021 Matthias Runge <mrunge@redhat.com> - 3.1.5-1
    - update to 3.1.5
    * Thu Dec  3 2020 Matthias Runge <mrunge@redhat.com> - 3.1.4-1
    - update to 3.1.4 (rhbz#1893635)

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:0781 advisory.

    Red Hat Ansible Automation Platform integrates Red Hat's automation suite consisting of Red Hat Ansible     Tower, Red Hat Ansible Engine, Automation Hub and use-case specific capabilities for Microsoft Windows,     network, security, and more, along with Software-as-a-Service (SaaS)-based capabilities and features for     organization-wide effectiveness.

    This update fixes various bugs and adds enhancements. Documentation for     these changes is available from the Release Notes document linked to in the     References section.

    Security Fix(es):

    * node-notifier: nodejs-node-notifier: command injection due to the options params not being sanitised     when being passed an array (CVE-2020-7789)
    * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
    * django: Potential directory-traversal via archive.extract() (CVE-2021-3281)
    * python-pygments: infinite loop in SML lexer may lead to DoS (CVE-2021-20270)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3164 advisory.

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python     3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories     created in the process of uploading files. It was also not applied to intermediate-level collected static     directories when using the collectstatic management command. (CVE-2020-24583)

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python     3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask     rather than 0o077. (CVE-2020-24584)

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before     3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and     urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query     parameters using a semicolon (;), they can cause a difference in the interpretation of the request between     the proxy (running with default configuration) and the server. This can result in malicious requests being     cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and     therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract     method (used by startapp --template and startproject --template) allows directory traversal via an     archive with absolute paths or relative paths with dot segments. (CVE-2021-3281)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:3490 advisory.

    Security Fix(es):

    * Potential directory-traversal via archive.extract() (CVE-2021-3281)

    * Potential directory traversal via ``admindocs`` (CVE-2021-33203)

    * Possible indeterminate SSRF RFI and LFI attacks since validators accepted     leading zeros in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5070 advisory.

    Security Fix(es):

    * Potential directory-traversal via archive.extract() (CVE-2021-3281)

    * potential directory-traversal via uploaded files (CVE-2021-28658)

    * Potential directory-traversal via uploaded files (CVE-2021-31542)

    * Potential directory traversal via ``admindocs`` (CVE-2021-33203)

    * Possible indeterminate SSRF RFI and LFI attacks since validators accepted     leading zeros in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-5329c680f7 advisory.

  - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract     method (used by startapp --template and startproject --template) allows directory traversal via an     archive with absolute paths or relative paths with dot segments. (CVE-2021-3281)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that there was a potential directory-traversal in Django, a Python-based web development framework.

For Debian 9 'Stretch', this problem has been fixed in version 1:1.10.7-2+deb9u10.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4715-1 advisory.

    Wang Baohua discovered that Django incorrectly extracted archive files. A remote attacker could possibly     use this issue to extract files outside of their expected location.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211197	Fedora 38 : python-django3 (2022-0cba1bd104)	Nessus	Fedora Local Security Checks	high
194285	RHEL 7 / 8 : Red Hat Ansible Automation Platform 1.2.2 (RHSA-2021:0781)	Nessus	Red Hat Local Security Checks	medium
166698	Debian DLA-3164-1 : python-django - LTS security update	Nessus	Debian Local Security Checks	critical
165154	RHEL 8 : Red Hat OpenStack Platform 16.2 (python-django20) (RHSA-2021:3490)	Nessus	Red Hat Local Security Checks	high
156005	RHEL 8 : Red Hat OpenStack Platform 16.1 (python-django20) (RHSA-2021:5070)	Nessus	Red Hat Local Security Checks	high
146509	Fedora 33 : python-django (2021-5329c680f7)	Nessus	Fedora Local Security Checks	medium
146053	Debian DLA-2540-1 : python-django security update	Nessus	Debian Local Security Checks	medium
146043	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Django vulnerability (USN-4715-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2021-3281

medium

Tenable Plugins

high

medium

critical

high

high

medium

medium

medium