logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-33571 django

Package

Manager: pip
Name: django
Vulnerable Version: >=2.2a1 <2.2.24 || >=3.0a1 <3.1.12 || >=3.2a1 <3.2.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00016 pctl0.02478

Details

Django Access Control Bypass possibly leading to SSRF, RFI, and LFI attacks In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

Metadata

Created: 2021-06-10T17:21:12Z
Modified: 2024-09-20T15:46:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-p99v-5w3c-jqq9/GHSA-p99v-5w3c-jqq9.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-p99v-5w3c-jqq9
Finding: F100
Auto approve: 1