Bug 1954294 (CVE-2021-31542)

Summary: CVE-2021-31542 django: Potential directory-traversal via uploaded files
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, caswilli, chousekn, cmeyers, davidn, flucifre, gblomqui, gmeno, gtanzill, hhudgeon, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, kaycoth, kblack, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, nmoumoul, ntait, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 3.2.1, Django 3.1.9, Django 2.2.21 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django. `MultiPartParser`, `UploadedFile`, and `FieldFile` allowed directory-traversal via uploaded files with suitably crafted file names. The highest threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-09 20:34:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961136, 1961137, 1966901, 1966902, 1956040, 1956041, 1956042, 1956043, 1956044, 1956045, 1958303, 1958354, 1960882, 1960883, 1961135, 1961138, 1961139    
Bug Blocks: 1954296    

Description Pedro Sampaio 2021-04-27 20:30:53 UTC
A flaw was found in django. ``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed directory-traversal via uploaded files with suitably crafted file names.

Comment 3 Hardik Vyas 2021-05-04 11:03:20 UTC
External References:

https://www.djangoproject.com/weblog/2021/may/04/security-releases/

Comment 6 Yadnyawalk Tale 2021-05-07 17:27:50 UTC
Statement:

Red Hat Update Infrastructure is in the maintenance phase and we will not be fixing Medium/Low impact security bugs. Reference: https://access.redhat.com/support/policy/updates/rhui

Comment 9 Hardik Vyas 2021-05-17 10:36:11 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1961136]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1961137]
Affects: fedora-all [bug 1961135]
Affects: openstack-rdo [bug 1961138]

Comment 11 Tapas Jena 2021-06-02 07:20:56 UTC
Analysis is complete for AAP 1.2 and Ansible Tower. Below are my observations:
> The PulpCore component of AAP 1.2 is found to be using the affected Libs/Functionalities i.e. UploadedFile. Also, AAP 1.2 as a whole affected to this vulnerability as its using affected version of Django i.e. django-2.2.16. Hence, marking it as "Affected".
  -> manifest.txt:ansible_automation_platform:1.2::el7/django-2.2.16
> When it comes to Tower, though its using the affected Django version i.e. django-2.2.11, None of the vulnerable Libs/Functions are being used in Tower. Hence, marking it as "Not Affected".

Comment 18 errata-xmlrpc 2021-11-16 14:08:05 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Comment 19 errata-xmlrpc 2021-12-09 20:16:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070

Comment 20 Product Security DevOps Team 2021-12-09 20:34:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31542