Описание
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-django | fixed | 2:3.2.10-1 | package | |
| python-django | fixed | 2:2.2.25-1~deb11u1 | bullseye | package |
| python-django | not-affected | buster | package | |
| python-django | not-affected | stretch | package |
Примечания
https://www.openwall.com/lists/oss-security/2021/12/07/1
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a (3.2.10)
https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (2.2.25)
EPSS
Связанные уязвимости
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Potential bypass of an upstream access control based on URL paths in Django
ELSA-2022-9341: ol-automation-manager security update (IMPORTANT)
EPSS