Bug 1944801 (CVE-2021-28658)

Summary: CVE-2021-28658 django: potential directory-traversal via uploaded files
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, davidn, flucifre, gblomqui, ggainey, gmeno, hhudgeon, hvyas, jal233, jcammara, jhardy, jjoyce, jneedle, jobarker, jschluet, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, nmoumoul, notting, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 2.2, python-django 3.0, python-django 3.1, python-django 3.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django. This flaw allows an attacker to upload specially-named files and exploit a flaw in the `MultiPartParser()` function to traverse directories. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 18:09:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945735, 1945790, 1945791, 1946167, 1946168, 1946217, 1946218, 1946219, 1946220, 1946221, 1946580, 1946581, 1946582, 1948016, 1952799    
Bug Blocks: 1944803    

Description Guilherme de Almeida Suckevicz 2021-03-30 17:07:16 UTC 
'MultiPartParser' allowed directory-traversal via uploaded files with suitably crafted file names.
Comment 6 Oleksandr Saprykin 2021-03-31 14:21:12 UTC 
How can I get more details on the issue?
It doesn't look I can access CVE by the link in the title.
Comment 7 Tapas Jena 2021-04-01 12:42:10 UTC 
Ansible Tower doesn't use the vulnerable function i.e. "MultiPartParser" which causes Django vulnerable to this bug. Hence, marking Ansible Tower as "Not Affected".
Comment 8 Grant Gainey 2021-04-01 19:41:59 UTC 
pulp_ansible appears to use the affected entity:

  https://github.com/pulp/pulp_ansible/blob/master/pulp_ansible/app/viewsets.py#L280

pulpcore is currently planning a 3.12 release for 8-APR, if Django-2.2.20 is released we might want to up our current requirement from 2.2.19.
Comment 13 Guilherme de Almeida Suckevicz 2021-04-06 12:57:08 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1946581]
Affects: fedora-all [bug 1946580]
Affects: openstack-rdo [bug 1946582]
Comment 15 Nick Tait 2021-04-06 17:41:48 UTC 
External References:

https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
Comment 17 Yadnyawalk Tale 2021-04-09 19:30:39 UTC 
Django 1.11.29 and 1.11.13 is also affected as those uses `IE_sanitize` functions in source code. Django can not confirm this officially as its extended support ended on April 1, 2020: https://www.djangoproject.com/download/

django/http/multipartparser.py:
~~~
211                     file_name = disposition.get('filename')
212                     if file_name:
213                         file_name = force_text(file_name, encoding, errors='replace')
214                         file_name = self.IE_sanitize(unescape_entities(file_name))
215                     if not file_name:
216                         continue
...
306     def IE_sanitize(self, filename):
307         """Cleanup filename from Internet Explorer full paths."""
308         return filename and filename[filename.rfind("\\") + 1:].strip()
~~~
Comment 18 Yadnyawalk Tale 2021-04-09 19:55:37 UTC 
Statement:

Although Red Hat Ansible Tower ships the flawed code, it does not use the vulnerable function i.e. "MultiPartParser" and therefore will not be updated.

Red Hat Update Infrastructure ship affected version of python-django however RHUI v3 is in maintenance support phase and we are only fixing critical and important fixes. Please refer RHUI support lifecycle page for more information: https://access.redhat.com/support/policy/updates/rhui.
Comment 26 errata-xmlrpc 2021-11-16 14:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Comment 27 errata-xmlrpc 2021-12-09 20:16:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070