Moole Vulnerability Database

Find real vulnerabilities before they ship

High

CVE-2021-44420

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

VectorNETWORK

PublishedDec 08, 2021, 00:15

Published Bycve@mitre.org

Base Score

Score7.3

Affected Versions

Package (Ecosystem)IntroducedFixedLimit

Django(PyPI)2.2a12.2.25N/A

Django(PyPI)3.0a13.1.14N/A

Django(PyPI)3.2a13.2.10N/A

References

https://docs.djangoproject.com/en/3.2/releases/security/
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://security.netapp.com/advisory/ntap-20211229-0006/
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://www.openwall.com/lists/oss-security/2021/12/07/1

Weakness Type

NVD-CWE-Other

CVSS Metrics

Base Score

7.3

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base SeverityHigh

Version

3.1

Attack Vector (AV)

NETWORK