Bug 1957455 (CVE-2021-32052)
| Summary: | CVE-2021-32052 django: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+ | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | alikins, amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, davidn, flucifre, gblomqui, gmeno, hhudgeon, hvyas, jal233, jcammara, jhardy, jjoyce, jmitchel, jobarker, jschluet, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, nmoumoul, notting, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | django 3.2.2, django 3.1.10, django 2.2.22 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in django. On Python 3.9.5+, `URLValidator` didn't prohibited newlines and tabs which could lead to a header injection attack if these were used in an HTTP response. The highest threat from this vulnerability is to data confidentiality and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 02:01:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1957661, 1957662, 1957663, 1957664, 1957710, 1958207, 1958208, 1958377, 1958412, 1958413, 1958414 | ||
| Bug Blocks: | 1957456 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-05-05 19:21:40 UTC
Upstream pull: https://github.com/django/django/pull/14349 External References: https://www.djangoproject.com/weblog/2021/may/06/security-releases/ Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1957710] Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Created python-django tracking bugs for this issue: Affects: epel-all [bug 1958207] Affects: openstack-rdo [bug 1958208] The current python version in case of Ansible Engine is 3.6.8 which is not vulnerable to the concerned vulnerability and the current python-django version in case of AAP 1.2 is 2.2.17 which is Affected. Since, Django itself is not vulnerable, marking AAP 1 with Python-Django as affected and Tower and AAP with only Django as "Not affected". Statement: * Red Hat Gluster Storage 3 ships an old version of Django (v1.11.27) that provides support for Python 3.7, hence not affected by this vulnerability. * Red Hat Satellite and Red Hat Update Infrastructure ships affected versions of Django, however, products make use of Python 2.7 and Python 3.6 consumed from RHEL repository. Successful exploitation would require Support to Python version 3.9.5 onward hence products are not affected by this vulnerability. * Red Hat Ceph Storage (RHCS) 2 and 3 ship an affected version of Django. |