CVE-2021-33571

EPSS 0.02%
Published 08.06.2021 18:15:08
Last modified 21.11.2024 06:09:06
Source cve@mitre.org
Teams watchlist Login
Open Login

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Djangoproject ≫ Django Version >= 2.2 < 2.2.24

Djangoproject ≫ Django Version >= 3.0 < 3.1.12

Djangoproject ≫ Django Version >= 3.2 < 3.2.4

Fedoraproject ≫ Fedora Version35

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.022

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://docs.djangoproject.com/en/3.2/releases/security/

Patch

Vendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

https://security.netapp.com/advisory/ntap-20210727-0004/

Third Party Advisory

https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

Patch

Vendor Advisory

https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e

https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d

https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc