Directory Traversal Affecting python-django package, versions <1.8.7-1ubuntu5.15
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.76% (81st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1604-PYTHONDJANGO-1243890
- published 7 Apr 2021
- disclosed 6 Apr 2021
Introduced: 6 Apr 2021
CVE-2021-28658 Open this link in a new tabHow to fix?
Upgrade Ubuntu:16.04 python-django to version 1.8.7-1ubuntu5.15 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream python-django package and not the python-django package as distributed by Ubuntu.
See How to fix? for Ubuntu:16.04 relevant fixed versions and status.
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-28658
- https://security.netapp.com/advisory/ntap-20210528-0001/
- https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
- https://docs.djangoproject.com/en/3.1/releases/security/
- https://groups.google.com/g/django-announce/c/ePr5j-ngdPU
- https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/