English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.1.10.2021.0356
Category:Mageia Linux Local Security Checks
Title:Mageia: Security Advisory (MGASA-2021-0356)
Summary:The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2021-0356 advisory.
Description:Summary:
The remote host is missing an update for the 'python-django' package(s) announced via the MGASA-2021-0356 advisory.

Vulnerability Insight:
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8,
MultiPartParser allowed directory traversal via uploaded files with suitably
crafted file names. Built-in upload handlers were not affected by this
vulnerability (CVE-2021-28658).

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1,
MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via
uploaded files with suitably crafted file names (CVE-2021-31542).

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with
Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the
URLField form field is used). If an application uses values with newlines in
an HTTP response, header injection can occur. Django itself is unaffected
because HttpResponse prohibits newlines in HTTP headers (CVE-2021-32052).

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential
directory traversal via django.contrib.admindocs. Staff members could use the
TemplateDetailView view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by application developers to also show file contents, then not only
the existence but also the file contents would have been exposed. In other
words, there is directory traversal outside of the template root directories
(CVE-2021-33203).

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4,
URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit
leading zero characters in octal literals. This may allow a bypass of access
control that is based on IP addresses. (validate_ipv4_address and
validate_ipv46_address are unaffected with Python 3.9.5+..) (CVE-2021-33571).

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by
SQL injection if order_by is untrusted input from a client of a web application
(CVE-2021-35042).

python-django package is updated to 3.1.13 version to fix these security
issues among other upstream bugfixes, see upstream release notes.

Affected Software/OS:
'python-django' package(s) on Mageia 8.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2021-28658
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
https://docs.djangoproject.com/en/3.1/releases/security/
https://groups.google.com/g/django-announce/c/ePr5j-ngdPU
https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-31542
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
http://www.openwall.com/lists/oss-security/2021/05/04/3
https://docs.djangoproject.com/en/3.2/releases/security/
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48
https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007
https://groups.google.com/forum/#!forum/django-announce
https://www.djangoproject.com/weblog/2021/may/04/security-releases/
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html
Common Vulnerability Exposure (CVE) ID: CVE-2021-32052
http://www.openwall.com/lists/oss-security/2021/05/06/1
https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Common Vulnerability Exposure (CVE) ID: CVE-2021-33203
Common Vulnerability Exposure (CVE) ID: CVE-2021-33571
https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
v2.2.24
https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
v3.1.12
https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
v3.2.4
https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
Common Vulnerability Exposure (CVE) ID: CVE-2021-35042
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/
CopyrightCopyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.