Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-4094ccf096 advisory.

    Automatic update for python-django-4.0.2-1.fc36.

    ##### **Changelog**

    ```
    * Wed Feb  2 2022 Matthias Runge <mrunge@redhat.com> - 4.0.2-1
    - rebase to 4.0.2, fix for CVE-2022-22818 (rhbz#2049332)
    - fix for CVE-2022-23833 (rhbz#2049325)
    - this also fixes rhbz#1961135, rhbz#1967410, rhbz#1967428, rhbz#2037174, rhbz#2048940

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:5498 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):

    * libsolv: Heap-based buffer overflow in testcase_read() in src/testcase.c (CVE-2021-3200)
    * satellite: foreman: Authenticate remote code execution through Sendmail configuration (CVE-2021-3584)
    * candlepin: Allow unintended SCA certificate to authenticate Candlepin (CVE-2021-4142)
    * candlepin: netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
    * candlepin: netty: Possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
    * candlepin: netty: Request smuggling via content-length header (CVE-2021-21409)
    * tfm-rubygem-sidekiq: XSS via the queue name of the live-poll feature (CVE-2021-30151)
    * python-sqlparse: ReDoS via regular expression in StripComments filter (CVE-2021-32839)
    * libsolv: various flaws (CVE-2021-33928 CVE-2021-33929 CVE-2021-33930 CVE-2021-33938)
    * tfm-rubygem-puma: Inconsistent Interpretation of HTTP Requests in puma (CVE-2021-41136)
    * logback-classic: Remote code execution through JNDI call from within its configuration file     (CVE-2021-42550)
    * candlepin: netty: Control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
    * python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818)
    * python3-django: Potential bypass of an upstream access control based on URL paths (CVE-2021-44420)
    * libsolv: Heap overflow (CVE-2021-44568)
    * python3-django: Various flaws (CVE-2021-45115 CVE-2021-45116 CVE-2021-45452 CVE-2022-22818)
    * tfm-rubygem-actionpack: Information leak between requests (CVE-2022-23633)
    * tfm-rubygem-puma: rubygem-rails: Information leak between requests (CVE-2022-23634)
    * python3-django: Denial-of-service possibility in file uploads (CVE-2022-23833)
    * tfm-rubygem-sidekiq: WebUI Denial of Service caused by number of days on graph (CVE-2022-23837)
    * python3-django: Various flaws (CVE-2022-28346 CVE-2022-28347)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    * New repo layout for Satellite, Utils, Maintenance, and Client repos.
    * Support for RHEL 9 clients
    * Module-based installation on RHEL 8
    * Upgrading Satellite Server and Capsule Server installations from RHEL 7 to RHEL 8
    * Connected and Disconnected servers supported on RHEL 7 and RHEL 8
    * Inter-Server Synchronization improvements
    * Puppet integration optional and disabled by default
    * Pulp 3 updated to Python 3.8
    * Change to Capsule certificate archive
    * New default port for communication with Red Hat Subscription Management * (RHSM) API on Capsule servers
    * New Content Views Page (Content Publication workflow simplification)
    * New Hosts Page (Technology Preview)
    * Registration and preview templates
    * Simplified host content source changing
    * Improved behavior for configuring and running remote jobs
    * Provisioning improvements
    * New error signaling unsupported options in TASK-Filter
    * Virt-who configuration enhanced to support Nutanix AHV
    * Cloud Connector configuration updated
    * Improved Insights adoption

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:5498 advisory.

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

  - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when     Internet Explorer is used. (CVE-2021-30151)

  - Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp,     const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334,     which could cause a denial of service (CVE-2021-3200)

  - sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a     regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause     exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the     formatting feature that removes comments from SQL statements is affected by this regular expression. As a     workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-     comments command line flag when using the sqlformat command line tool. The issues has been fixed in     sqlparse 0.4.2. (CVE-2021-32839)

  - Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows     attackers to cause a Denial of Service. (CVE-2021-33928)

  - Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33929)

  - Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before     0.7.17 allows attackers to cause a Denial of Service. (CVE-2021-33930)

  - Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33938)

  - A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker     could use Sendmail configuration options to overwrite the defaults and perform command injection. The     highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed     releases are 2.4.1, 2.5.1, 3.0.0. (CVE-2021-3584)

  - Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with     a proxy which forwards HTTP header values which contain the LF character could allow HTTP request     smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to     another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is     Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via     HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two     requests, and when processing the second request, send back a response that the proxy does not expect. If     the proxy has reused the persistent connection to Puma to send another request for a different client, the     second response from the first client will be sent to the second client. This vulnerability was patched in     Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`. (CVE-2021-41136)

  - The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors     could allow an attacker to use the SCA (simple content access) certificate for authentication with     Candlepin. (CVE-2021-4142)

  - In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit     configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from     LDAP servers. (CVE-2021-42550)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML     Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG     files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should     upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. (CVE-2021-43818)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap     variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause     a remote Denial of Service. (CVE-2021-44568)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Action Pack is a framework for handling and responding to web requests. Under certain circumstances     response bodies will not be closed. In the event a response is *not* notified of a `close`,     `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead     to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and     5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-     wh98-p28r-vrc9 can be used. (CVE-2022-23633)

  - Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not     always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body     being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of     these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information     leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions     7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the     vulnerability. (CVE-2022-23634)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting     stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
    (CVE-2022-23837)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0005-1 advisory.

  - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator     does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses     values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because     HttpResponse prohibits newlines in HTTP headers. (CVE-2021-32052)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

  - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.
    An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition     header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

  - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject     to a potential denial of service attack via the locale parameter, which is treated as a regular     expression. (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3191 advisory.

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the d3e023fb-6e88-11ec-b948-080027240888 advisory.

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5204-1 advisory.

    Chris Bailey discovered that Django incorrectly handled evaluating submitted passwords. A remote attacker     could possibly use this issue to consume resources, resulting in a denial of service. (CVE-2021-45115)

    Dennis Brinkrolf discovered that Django incorrectly handled the dictsort template filter. A remote     attacker could possibly use this issue to obtain sensitive information. (CVE-2021-45116)

    Dennis Brinkrolf discovered that Django incorrectly handled certain file names. A remote attacker could     possibly use this issue to save files to arbitrary filesystem locations. (CVE-2021-45452)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211077	Fedora 36 : python-django (2022-4094ccf096)	Nessus	Fedora Local Security Checks	high
194275	RHEL 7 / 8 : Satellite 6.11 Release (Moderate) (RHSA-2022:5498)	Nessus	Red Hat Local Security Checks	critical
184590	Rocky Linux 8 : Satellite 6.11 Release (Moderate) (RLSA-2022:5498)	Nessus	Rocky Linux Local Security Checks	critical
169481	openSUSE 15 Security Update : python-Django (openSUSE-SU-2023:0005-1)	Nessus	SuSE Local Security Checks	critical
167780	Debian DLA-3191-1 : python-django - LTS security update	Nessus	Debian Local Security Checks	medium
156474	FreeBSD : Django -- multiple vulnerabilities (d3e023fb-6e88-11ec-b948-080027240888)	Nessus	FreeBSD Local Security Checks	high
156472	Ubuntu 18.04 LTS / 20.04 LTS : Django vulnerabilities (USN-5204-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-45452

medium

Tenable Plugins

high

critical

critical

critical

medium

high

high