CVE-2021-28658 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=2.2a1 <2.2.20 || >=3.0a1 <3.0.14 || >=3.1a1 <3.1.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01948 pctl0.82745

Details

Directory Traversal in Django In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Metadata

Created: 2021-04-08T18:11:48Z
Modified: 2024-09-20T15:47:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-xgxc-v2qg-chmh/GHSA-xgxc-v2qg-chmh.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-xgxc-v2qg-chmh
Finding: F063
Auto approve: 1