English | Deutsch | Español
 
Startseite ▼
Startseite Über uns Kontact Datenschutz Partnerprogramme Zeugnisse In der Presse Mailinglisten Missbrauch Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Sicherheits
Überprüfungs ▼
Home Dediziert Erweitert Standard Wiederkehrend Risikolos Desktop Basis Sicherheits Segal FAQ Preis/Funktionszusammenfassung Bestellen Neue Anfälligkeiten Alle Anfälligkeiten Vertraulichkeit Anfälligkeiten Suche Durchführen Terminkalender IP Permissions Maßgeschneidert Warteschlange Erinnerer Siegel Berichte Berichts Stil
Verwaltetes
DNS ▼
Info Bestellen/Erneuern FAQ AUP Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password
Netzwerk
Überwachung ▼
Enterprise Erweiterte Standard Gratis Test FAQ Preis/Funktionszusammenfassung Bestellen Beispiele
Konfigurieren/Status Alarm Profile
Recherce
Berichte ▼
Home FAQ Glossary Archive
 Anmeldung/Registrierung 
 
 Anfälligkeitssuche        Suche in 324607 CVE Beschreibungen
und 145615 Test Beschreibungen,
Zugriff auf 10,000+ Quellverweise.
Tests   CVE   Alle  

Test Kennung:1.3.6.1.4.1.25623.1.1.10.2021.0356
Kategorie:Mageia Linux Local Security Checks
Titel:Mageia: Security Advisory (MGASA-2021-0356)
Zusammenfassung:The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2021-0356 advisory.
Beschreibung:Summary:
The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2021-0356 advisory.

Vulnerability Insight:
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with suitably
crafted file names. Built-in upload handlers were not affected by this
vulnerability (CVE-2021-28658).

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1,
MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via
uploaded files with suitably crafted file names (CVE-2021-31542).

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with
Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the
URLField form field is used). If an application uses values with newlines in
an HTTP response, header injection can occur. Django itself is unaffected
because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential
directory traversal via django.contrib.admindocs. Staff members could use the
TemplateDetailView view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by application developers to also show file contents, then not only
the existence but also the file contents would have been exposed. In other
words, there is directory traversal outside of the template root directories
(CVE-2021-33203).

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4,
URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit
leading zero characters in octal literals. This may allow a bypass of access
control that is based on IP addresses. (validate_ipv4_address and
validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571).

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by
SQL injection if order_by is untrusted input from a client of a web application
(CVE-2021-35042).

python-django package is updated to 3.1.13 version to fix these security
issues among other upstream bugfixes, see upstream release notes.

Affected Software/OS:
'python-django' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2021-28658
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
https://docs.djangoproject.com/en/3.1/releases/security/
https://groups.google.com/g/django-announce/c/ePr5j-ngdPU
https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-31542
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
http://www.openwall.com/lists/oss-security/2021/05/04/3
https://docs.djangoproject.com/en/3.2/releases/security/
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48
https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007
https://groups.google.com/forum/#!forum/django-announce
https://www.djangoproject.com/weblog/2021/may/04/security-releases/
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-32052
http://www.openwall.com/lists/oss-security/2021/05/06/1
https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Common Vulnerability Exposure (CVE) ID: CVE-2021-33203
Common Vulnerability Exposure (CVE) ID: CVE-2021-33571
https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
v2.2.24
https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
v3.1.12
https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
v3.2.4
https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
Common Vulnerability Exposure (CVE) ID: CVE-2021-35042
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/
CopyrightCopyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.

Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.



© 1998-2025 E-Soft Inc. Alle Rechte vorbehalten.