In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| Django(PyPI) | 2.2a1 | 2.2.20 | N/A |
| Django(PyPI) | 3.0a1 | 3.0.14 | N/A |
| Django(PyPI) | 3.1a1 | 3.1.8 | N/A |
CVSS Metrics
