CVE-2021-32052 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=2.2 <2.2.22 || >=3.1 <3.1.10 || >=3.2 <3.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00635 pctl0.69496

Details

Header injection possible in Django In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

Metadata

Created: 2021-06-09T17:14:51Z
Modified: 2024-09-20T15:28:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-qm57-vhq3-3fwf/GHSA-qm57-vhq3-3fwf.json
CWE IDs: ["CWE-79", "CWE-88"]
Alternative ID: GHSA-qm57-vhq3-3fwf
Finding: F425
Auto approve: 1