Описание
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
A flaw was found in django where thedjango.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
Отчет
The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low:
- Red Hat Gluster Storage 3
- Red Hat Update Infrastructure 3 Because the flaw's impact is lower and Red Hat OpenStack Platform 13 will be retiring soon, no update will be provided at this time for the RHOSP13 python-django package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | python-django | Affected | ||
| Red Hat Ansible Tower 3 | django | Not affected | ||
| Red Hat Ceph Storage 2 | python-django | Out of support scope | ||
| Red Hat Ceph Storage 3 | python-django | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Will not fix | ||
| Red Hat Satellite 6 | python-django | Affected | ||
| Red Hat Storage 3 | python-django | Affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-django | Fix deferred | ||
| Red Hat Ansible Tower 3.8 for RHEL 7 | ansible-tower-38/ansible-runner-rhel7 | Fixed | RHSA-2021:0780 | 09.03.2021 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, ...
Уязвимость метода django.utils.archive.extract фреймворка Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность данных
5.3 Medium
CVSS3