Описание
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-django | fixed | 2:3.2.10-1 | package | |
| python-django | fixed | 2:2.2.25-1~deb11u1 | bullseye | package |
| python-django | not-affected | buster | package | |
| python-django | not-affected | stretch | package |
Примечания
https://www.openwall.com/lists/oss-security/2021/12/07/1
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a (3.2.10)
https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (2.2.25)
Связанные уязвимости
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Potential bypass of an upstream access control based on URL paths in Django
ELSA-2022-9341: ol-automation-manager security update (IMPORTANT)