CVE-2021-31542

June 18, 2021

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Summary:

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Reference Links(if available):

  • https://www.djangoproject.com/weblog/2021/may/04/security-releases/
  • https://docs.djangoproject.com/en/3.2/releases/security/
  • http://www.openwall.com/lists/oss-security/2021/05/04/3
  • https://groups.google.com/forum/#!forum/django-announce
  • https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html

    • CVSS Score (if available)

    v2: / HIGHAV:N/AC:L/Au:N/C:P/I:N/A:N

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Links to Exploits(if available)

  • You may have missed

    news

    Microsoft Addresses Four Critical Zero-Days in November Patch Tuesday Updates

    November 14, 2024
    news

    AI Threat Worsening in 2025: Insights from Google Cloud

    November 14, 2024
    news

    Lazarus Group’s Code Smuggling Technique Exploits Extended Attributes in macOS

    November 14, 2024
    news

    Ethical Hacker or Not? Amazon MOVEit Leaker’s Controversial Claims

    November 14, 2024
    news

    Hive0145 Targets Europe with Sophisticated Strela Stealer Campaigns

    November 14, 2024