Описание
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1:1.11.11-1ubuntu1.12 |
| devel | released | 2:2.2.19-1ubuntu1 |
| esm-infra-legacy/trusty | needed | |
| esm-infra/bionic | not-affected | 1:1.11.11-1ubuntu1.12 |
| esm-infra/focal | not-affected | 2:2.2.12-1ubuntu0.5 |
| esm-infra/xenial | not-affected | 1.8.7-1ubuntu5.15 |
| focal | released | 2:2.2.12-1ubuntu0.5 |
| groovy | released | 2:2.2.16-1ubuntu0.3 |
| hirsute | released | 2:2.2.19-1ubuntu1 |
| impish | released | 2:2.2.19-1ubuntu1 |
Показывать по
EPSS
5 Medium
CVSS2
5.3 Medium
CVSS3
Связанные уязвимости
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, ...
Уязвимость компонента MultiPartParser программной платформы для веб-приложений Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
5 Medium
CVSS2
5.3 Medium
CVSS3