Bug 1919969 (CVE-2021-3281)

Summary: CVE-2021-3281 django: Potential directory-traversal via archive.extract()
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, amoralej, anharris, apevec, bbuckingham, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, cmoore, davidn, dbecker, dkuc, flucifre, gblomqui, gmeno, hhudgeon, hvyas, jal233, jhardy, jjoyce, jschluet, kaycoth, kwalsh, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, mseri, nmoumoul, notting, osapryki, puebele, rchan, rdopiera, rhel8-maint, rhos-maint, rjerrido, rpetrell, sclewis, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 2.2.18, Django 3.0.12, Django 3.1.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-09 21:05:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1923732, 1923735, 1920447, 1920448, 1920449, 1920450, 1921162, 1922559, 1923733, 1923734, 1923983, 1925122, 1931446, 1934375, 1934376, 1935678, 1935679, 1973468    
Bug Blocks: 1919992    

Description Michael Kaplan 2021-01-25 13:40:07 UTC 
The ``django.utils.archive.extract()`` function, used by ``startapp --template`` and ``startproject --template``, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
Comment 5 Mauro Matteo Cascella 2021-02-01 18:14:19 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1923735]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1923732]
Affects: fedora-all [bug 1923733]
Affects: openstack-rdo [bug 1923734]
Comment 7 Mauro Matteo Cascella 2021-02-01 18:18:01 UTC 
Upstream fix:
https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23 [master]
https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed [3.2]
https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624 [3.1]
https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a [3.0]
https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37 [2.2]
Comment 15 errata-xmlrpc 2021-03-09 15:14:44 UTC 
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 7
  Red Hat Automation Hub 4.2 for RHEL 8

Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
Comment 16 errata-xmlrpc 2021-03-09 16:02:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.8 for RHEL 7

Via RHSA-2021:0780 https://access.redhat.com/errata/RHSA-2021:0780
Comment 17 Product Security DevOps Team 2021-03-09 21:05:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3281
Comment 18 Nick Tait 2021-04-03 16:14:15 UTC 
Statement:

The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low:
* Red Hat Gluster Storage 3
* Red Hat Update Infrastructure 3

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-twisted package.
Comment 20 errata-xmlrpc 2021-09-15 06:38:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490
Comment 21 errata-xmlrpc 2021-12-09 20:16:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070
Comment 22 Alfredo Moralejo 2024-02-14 11:36:08 UTC 
Fixed in current version of django in RDO python-django-3.2.12-1.el9s  python-django-4.2.6-1.el9s