Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-28658

Опубликовано: 06 апр. 2021
Источник: redhat
CVSS3: 5.3

Описание

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

A flaw was found in Django. This flaw allows an attacker to upload specially-named files and exploit a flaw in the MultiPartParser() function to traverse directories. The highest threat from this vulnerability is to confidentiality.

Отчет

Although Red Hat Ansible Tower ships the flawed code, it does not use the vulnerable function i.e. "MultiPartParser" and therefore will not be updated. Red Hat Update Infrastructure ship affected version of python-django however RHUI v3 is in maintenance support phase and we are only fixing critical and important fixes. Please refer RHUI support lifecycle page for more information: https://access.redhat.com/support/policy/updates/rhui. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-django package.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 1.2djangoAffected
Red Hat Ansible Automation Platform 1.2python-djangoAffected
Red Hat Ansible Tower 3djangoNot affected
Red Hat Ceph Storage 2calamari-serverOut of support scope
Red Hat Ceph Storage 2python-djangoOut of support scope
Red Hat Ceph Storage 3python-djangoOut of support scope
Red Hat OpenStack Platform 10 (Newton)python-djangoOut of support scope
Red Hat OpenStack Platform 13 (Queens)python-djangoWill not fix
Red Hat Storage 3python-djangoAffected
Red Hat Update Infrastructure 3 for Cloud Providerspython-djangoOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-22
https://bugzilla.redhat.com/show_bug.cgi?id=1944801django: potential directory-traversal via uploaded files

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-28658

CVSS3: 5.3
ubuntu
около 4 лет назад

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

nvd логотип

CVE-2021-28658

CVSS3: 5.3
nvd
около 4 лет назад

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

debian логотип

CVE-2021-28658

CVSS3: 5.3
debian
около 4 лет назад

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, ...

github логотип

GHSA-xgxc-v2qg-chmh

CVSS3: 5.3
github
около 4 лет назад

Directory Traversal in Django

fstec логотип

BDU:2021-05276

CVSS3: 5.3
fstec
около 4 лет назад

Уязвимость компонента MultiPartParser программной платформы для веб-приложений Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным

5.3 Medium

CVSS3