Описание
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1:1.11.11-1ubuntu1.10 |
| devel | released | 2:2.2.18-1 |
| esm-infra-legacy/trusty | not-affected | 1.6.11-0ubuntu1.3+esm2 |
| esm-infra/bionic | not-affected | 1:1.11.11-1ubuntu1.10 |
| esm-infra/focal | not-affected | 2:2.2.12-1ubuntu0.3 |
| esm-infra/xenial | not-affected | 1.8.7-1ubuntu5.14 |
| focal | released | 2:2.2.12-1ubuntu0.3 |
| groovy | released | 2:2.2.16-1ubuntu0.1 |
| precise/esm | DNE | |
| trusty | ignored | end of standard support |
Показывать по
5 Medium
CVSS2
5.3 Medium
CVSS3
Связанные уязвимости
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, ...
Уязвимость метода django.utils.archive.extract фреймворка Django, связанная с недостатками ограничения имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность данных
5 Medium
CVSS2
5.3 Medium
CVSS3