CVE-2021-32052

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers. See CVE-2021-32052.


MISC:http://www.openwall.com/lists/oss-security/2021/05/06/1: http://www.openwall.com/lists/oss-security/2021/05/06/1
MISC:https://docs.djangoproject.com/en/3.2/releases/security/: https://docs.djangoproject.com/en/3.2/releases/security/
MISC:https://groups.google.com/forum/#!forum/django-announce: https://groups.google.com/forum/#%21forum/django-announce
MISC:https://www.djangoproject.com/weblog/2021/may/06/security-releases/: https://www.djangoproject.com/weblog/2021/may/06/security-releases/

Resources

• http://www.openwall.com/lists/oss-security/2021/05/06/1
• https://docs.djangoproject.com/en/3.2/releases/security/
• https://groups.google.com/forum/#%21forum/django-announce
• https://www.djangoproject.com/weblog/2021/may/06/security-releases/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32052
• https://groups.google.com/forum/#!forum/django-announce
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
• https://security.netapp.com/advisory/ntap-20210611-0002/