CVE-2021-28658

Advisory

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability. See CVE-2021-28658.


CONFIRM:https://www.djangoproject.com/weblog/2021/apr/06/security-releases/: https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
MISC:https://docs.djangoproject.com/en/3.1/releases/security/: https://docs.djangoproject.com/en/3.1/releases/security/
MISC:https://groups.google.com/g/django-announce/c/ePr5j-ngdPU: https://groups.google.com/g/django-announce/c/ePr5j-ngdPU

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
• https://groups.google.com/g/django-announce/c/ePr5j-ngdPU
• https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
• https://docs.djangoproject.com/en/3.1/releases/security/
• https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
• https://security.netapp.com/advisory/ntap-20210528-0001/