CVE-2021-33203

MEDIUM4.9EPSS 0.14%

Path Traversal in Django

發布日:2021/6/10修改日:2024/9/20

也稱為:GHSA-68w8-qjq3-2gfmBIT-django-2021-33203PYSEC-2021-98

描述

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

受影響套件(5)

Bitnami/djangofrom 0, < 2.2.24, >= 3.0.0, < 3.1.12, >= 3.2.0, < 3.2.4
Debian/python-djangofrom 0, < 2:2.2.24-1
Debian/python-djangofrom 0, < 1:1.10.7-2+deb9u14
PyPI/djangofrom 0, < 2.2.24
PyPI/djangofrom 0, < 2.2.24, >= 3.0, < 3.1.12, >= 3.2, < 3.2.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

描述

受影響套件(5)

CVSS 分數

參考連結(18)