Bug 1954294 (CVE-2021-31542)
Summary: | CVE-2021-31542 django: Potential directory-traversal via uploaded files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, caswilli, chousekn, cmeyers, davidn, flucifre, gblomqui, gmeno, gtanzill, hhudgeon, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, kaycoth, kblack, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, nmoumoul, ntait, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Django 3.2.1, Django 3.1.9, Django 2.2.21 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Django. `MultiPartParser`, `UploadedFile`, and `FieldFile` allowed directory-traversal via uploaded files with suitably crafted file names. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-09 20:34:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1961136, 1961137, 1966901, 1966902, 1956040, 1956041, 1956042, 1956043, 1956044, 1956045, 1958303, 1958354, 1960882, 1960883, 1961135, 1961138, 1961139 | ||
Bug Blocks: | 1954296 |
Description
Pedro Sampaio
2021-04-27 20:30:53 UTC
Upstream fixes: [main branch] https://github.com/django/django/commit/0b79eb36915d178aef5c6a7bbce71b1e76d376d3 [3.2 branch] https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007 [3.1 branch] https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48 [2.2 branch] https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d External References: https://www.djangoproject.com/weblog/2021/may/04/security-releases/ Statement: Red Hat Update Infrastructure is in the maintenance phase and we will not be fixing Medium/Low impact security bugs. Reference: https://access.redhat.com/support/policy/updates/rhui Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1961136] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1961137] Affects: fedora-all [bug 1961135] Affects: openstack-rdo [bug 1961138] Analysis is complete for AAP 1.2 and Ansible Tower. Below are my observations: > The PulpCore component of AAP 1.2 is found to be using the affected Libs/Functionalities i.e. UploadedFile. Also, AAP 1.2 as a whole affected to this vulnerability as its using affected version of Django i.e. django-2.2.16. Hence, marking it as "Affected". -> manifest.txt:ansible_automation_platform:1.2::el7/django-2.2.16 > When it comes to Tower, though its using the affected Django version i.e. django-2.2.11, None of the vulnerable Libs/Functions are being used in Tower. Hence, marking it as "Not Affected". This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31542 |