CVE-2021-44420

HIGH7.3EPSS 0.12%

Potential bypass of an upstream access control based on URL paths in Django

Published: 12/9/2021Modified: 4/3/2025

Also known as:GHSA-v6rh-hp5x-86rvBIT-django-2021-44420PYSEC-2021-439

Description

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Affected packages (4)

Bitnami/django>= 2.2.0, < 2.2.25, >= 3.1.0, < 3.1.14, >= 3.2.0, < 3.2.10
Debian/python-djangofrom 0, < 2:2.2.25-1~deb11u1
PyPI/django>= 2.2a1, < 2.2.25
PyPI/django>= 2.2, < 2.2.25, >= 3.1, < 3.1.14, >= 3.2, < 3.2.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (17)

ADVISORYhttps://github.com/advisories/GHSA-v6rh-hp5x-86rv
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-44420
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-44420
ADVISORYhttps://www.djangoproject.com/weblog/2021/dec/07/security-releases/
PATCHhttps://github.com/django/django
WEBhttps://docs.djangoproject.com/en/3.2/releases/security
WEBhttps://docs.djangoproject.com/en/3.2/releases/security/
WEBhttps://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-439.yaml
WEBhttps://groups.google.com/forum/#%21forum/django-announce
WEBhttps://groups.google.com/forum/#!forum/django-announce
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
WEBhttps://security.netapp.com/advisory/ntap-20211229-0006
WEBhttps://security.netapp.com/advisory/ntap-20211229-0006/
WEBhttps://www.djangoproject.com/weblog/2021/dec/07/security-releases
WEBhttps://www.openwall.com/lists/oss-security/2021/12/07/1