Bug 1919969 (CVE-2021-3281)
Summary: | CVE-2021-3281 django: Potential directory-traversal via archive.extract() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, amoralej, anharris, apevec, bbuckingham, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, cmoore, davidn, dbecker, dkuc, flucifre, gblomqui, gmeno, hhudgeon, hvyas, jal233, jhardy, jjoyce, jschluet, kaycoth, kwalsh, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, mseri, nmoumoul, notting, osapryki, puebele, rchan, rdopiera, rhel8-maint, rhos-maint, rjerrido, rpetrell, sclewis, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Django 2.2.18, Django 3.0.12, Django 3.1.6 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-09 21:05:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1923732, 1923735, 1920447, 1920448, 1920449, 1920450, 1921162, 1922559, 1923733, 1923734, 1923983, 1925122, 1931446, 1934375, 1934376, 1935678, 1935679, 1973468 | ||
Bug Blocks: | 1919992 |
Description
Michael Kaplan
2021-01-25 13:40:07 UTC
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1923735] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1923732] Affects: fedora-all [bug 1923733] Affects: openstack-rdo [bug 1923734] Upstream fix: https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23 [master] https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed [3.2] https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624 [3.1] https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a [3.0] https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37 [2.2] This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 7 Red Hat Automation Hub 4.2 for RHEL 8 Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781 This issue has been addressed in the following products: Red Hat Ansible Tower 3.8 for RHEL 7 Via RHSA-2021:0780 https://access.redhat.com/errata/RHSA-2021:0780 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3281 Statement: The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low: * Red Hat Gluster Storage 3 * Red Hat Update Infrastructure 3 In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-twisted package. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070 Fixed in current version of django in RDO python-django-3.2.12-1.el9s python-django-4.2.6-1.el9s |