In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-4094ccf096 advisory.

    Automatic update for python-django-4.0.2-1.fc36.

    ##### **Changelog**

    ```
    * Wed Feb  2 2022 Matthias Runge <mrunge@redhat.com> - 4.0.2-1
    - rebase to 4.0.2, fix for CVE-2022-22818 (rhbz#2049332)
    - fix for CVE-2022-23833 (rhbz#2049325)
    - this also fixes rhbz#1961135, rhbz#1967410, rhbz#1967428, rhbz#2037174, rhbz#2048940

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3744 advisory.

  - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory     traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected     by this vulnerability. (CVE-2021-28658)

  - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and     FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
    (CVE-2021-31542)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0005-1 advisory.

  - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator     does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses     values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because     HttpResponse prohibits newlines in HTTP headers. (CVE-2021-32052)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

  - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.
    An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition     header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

  - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject     to a potential denial of service attack via the locale parameter, which is treated as a regular     expression. (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:3490 advisory.

    Security Fix(es):

    * Potential directory-traversal via archive.extract() (CVE-2021-3281)

    * Potential directory traversal via ``admindocs`` (CVE-2021-33203)

    * Possible indeterminate SSRF RFI and LFI attacks since validators accepted     leading zeros in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9341 advisory.

    [1.0.2-1.el8]
    - Fix multiple CVEs : CVE-2017-18342, CVE-2020-10109, CVE-2020-10108,       CVE-2021-33203, CVE-2021-33571, CVE-2021-44420, CVE-2021-31542,       CVE-2021-28658, CVE-2021-28957, CVE-2021-43818, CVE-2020-27783 [Orabug:
      34109801]

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5070 advisory.

    Security Fix(es):

    * Potential directory-traversal via archive.extract() (CVE-2021-3281)

    * potential directory-traversal via uploaded files (CVE-2021-28658)

    * Potential directory-traversal via uploaded files (CVE-2021-31542)

    * Potential directory traversal via ``admindocs`` (CVE-2021-33203)

    * Possible indeterminate SSRF RFI and LFI attacks since validators accepted     leading zeros in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4702 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):
    * python-ecdsa: Unexpected and undocumented exceptions during signature decoding (CVE-2019-14853)
    * python-ecdsa: DER encoding is not being verified in signatures (CVE-2019-14859)
    * rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id     (CVE-2019-25025)
    * rake: OS Command Injection via egrep in Rake::FileList (CVE-2020-8130)
    * candlepin: guava - local information disclosure via temporary directory created with unsafe permissions     (CVE-2020-8908)
    * PyYAML: incomplete fix for CVE-2020-1747 (CVE-2020-14343)
    * tfm-rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema (CVE-2020-26247)
    * tfm-rubygem-foreman_azure_rm: Azure compute resource secret_key leak to authenticated users     (CVE-2021-3413)
    * foreman: possible man-in-the-middle in smart_proxy realm_freeipa (CVE-2021-3494)
    * foreman: BMC controller credential leak via API (CVE-2021-20256)
    * python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware (CVE-2021-21330)
    * rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack     (CVE-2021-22885)
    * tfm-rubygem-actionpack: rails: Possible Denial of Service vulnerability in Action Dispatch     (CVE-2021-22902)
    * tfm-rubygem-actionpack: Possible DoS Vulnerability in Action Controller Token Authentication     (CVE-2021-22904)
    * python-django: potential directory-traversal via uploaded files (CVE-2021-28658)
    * tfm-rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS) (CVE-2021-29509)
    * python-django: Potential directory-traversal via uploaded files (CVE-2021-31542)
    * tfm-rubygem-addressable: ReDoS in templates (CVE-2021-32740)
    * python-django: Potential directory traversal via ``admindocs`` (CVE-2021-33203)
    * python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)
    * python-django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros     in IPv4 addresses (CVE-2021-33571)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * Updated Content Management backend with Pulp 3 for increased performance, scale and reliability. MongoDB     is also removed from Satellite
    * Adds support for Azure GovCloud
    * Provides Satellite 6.10 Server support for Satellite 6.9 Capsules
    * Improves support for Satellite Air Gapped and Disconnected environments
    * Adds Ansible Collections content type to support disconnected environments
    * Foreman_webhooks introduced to replace foreman_hooks
    * Introduces UI to manage Personal Access Tokens
    * Adds ability to configure Pulp repository synchronization timeouts
    * Support for Convert2RHEL
    * Provides advanced options when registering a host
    * Supports remediation playbook signatures from console.redhat.com
    * Red Hat Insights Plugin replaced through new integration within Satellite
    * Ability to visually represent systems registered and in sync with Insights
    * Ability to verify if required packages are installed as part of pre-upgrade check
    * Ability to unset environment variables when installer is running
    * Ability to turn backups on and off when cleaning up tasks from database

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Two issues were discovered in Django, the Python-based web development framework :

  - CVE-2021-33203: Potential directory traversal via     admindocs

    Staff members could use the admindocs TemplateDetailView     view to check the existence of arbitrary files.
    Additionally, if (and only if) the default admindocs     templates have been customized by the developers to also     expose the file contents, then not only the existence     but also the file contents would have been exposed.

    As a mitigation, path sanitation is now applied and only     files within the template root directories can be     loaded.

    This issue has low severity, according to the Django     security policy.

    Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt     Larsen from the CodeQL Python team for the report.

  - CVE-2021-33571: Possible indeterminate SSRF, RFI, and     LFI attacks since validators accepted leading zeros in     IPv4 addresses

    URLValidator, validate_ipv4_address(), and     validate_ipv46_address() didn't prohibit leading zeros     in octal literals. If you used such values you could     suffer from indeterminate SSRF, RFI, and LFI attacks.

    validate_ipv4_address() and validate_ipv46_address()     validators were not affected on Python 3.9.5+.

    This issue has medium severity, according to the Django     security policy.

For Debian 9 'Stretch', this problem has been fixed in version 1:1.10.7-2+deb9u14.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4975-1 advisory.

    It was discovered that the Django URLValidator function incorrectly handled newlines and tabs. A remote     attacker could possibly use this issue to perform a header injection attack. This issue only affected     Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-32052)

    Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen discovered that Django incorrectly handled path     sanitation in admindocs. A remote attacker could possibly use this issue to determine the existence of     arbitrary files and in certain configurations obtain their contents. (CVE-2021-33203)

    It was discovered that Django incorrectly handled IPv4 addresses with leading zeros. A remote attacker     could possibly use this issue to perform a wide variety of attacks, including bypassing certain access     restrictions. (CVE-2021-33571)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211077	Fedora 36 : python-django (2022-4094ccf096)	Nessus	Fedora Local Security Checks	high
191437	Debian dla-3744 : python-django - security update	Nessus	Debian Local Security Checks	high
169481	openSUSE 15 Security Update : python-Django (openSUSE-SU-2023:0005-1)	Nessus	SuSE Local Security Checks	critical
165154	RHEL 8 : Red Hat OpenStack Platform 16.2 (python-django20) (RHSA-2021:3490)	Nessus	Red Hat Local Security Checks	high
160271	Oracle Linux 8 : ol-automation-manager (ELSA-2022-9341)	Nessus	Oracle Linux Local Security Checks	critical
156005	RHEL 8 : Red Hat OpenStack Platform 16.1 (python-django20) (RHSA-2021:5070)	Nessus	Red Hat Local Security Checks	high
155377	RHEL 7 : Satellite 6.10 Release (Moderate) (RHSA-2021:4702)	Nessus	Red Hat Local Security Checks	critical
150303	Debian DLA-2676-1 : python-django security update	Nessus	Debian Local Security Checks	high
150144	Ubuntu 18.04 LTS / 20.04 LTS : Django vulnerabilities (USN-4975-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-33571

high

Tenable Plugins

high

high

critical

high

critical

high

critical

high

high