Bug 1966251 (CVE-2021-33203)
Summary: | CVE-2021-33203 django: Potential directory traversal via ``admindocs`` | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, davidn, ehelms, flucifre, gblomqui, gmeno, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, jsherril, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, mhulan, michel, mmccune, mrunge, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Django 3.2.4, Django 3.1.12, Django 2.2.24 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in django. Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-09-15 18:21:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1967409, 1967411, 1973745, 1973746, 1967139, 1967140, 1967141, 1967143, 1967410, 1967412, 1968063, 1968066, 1968086, 1968300, 1968301, 1968302, 1972021, 1973744 | ||
Bug Blocks: | 1966255 |
Description
Pedro Sampaio
2021-05-31 18:05:07 UTC
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1967409] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1967411] Affects: fedora-all [bug 1967410] Affects: openstack-rdo [bug 1967412] For 1.11.x streams, code uses `os.path` instead of `pathlib.Path` but as the template input does not goes through `safe_join` this stream must be also affected by the vulnerability. However, as Django 1.11 LTS ended its extended support on April 1, 2020, we do not have its official fix from Django team. https://www.djangoproject.com/download/#supported-versions ~~~ 336 class TemplateDetailView(BaseAdminDocsView): 337 template_name = 'admin_doc/template_detail.html' 338 339 def get_context_data(self, **kwargs): 340 template = self.kwargs['template'] 341 templates = [] 342 try: 343 default_engine = Engine.get_default() 344 except ImproperlyConfigured: 345 # Non-trivial TEMPLATES settings aren't supported (#24125). 346 pass 347 else: 348 # This doesn't account for template loaders (#24128). 349 for index, directory in enumerate(default_engine.dirs): 350 template_file = os.path.join(directory, template) ^------------------------------------- old / vulnerable code ~~~ Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango, however, the vulnerable functionality i.e. admindocs/admin_doc TemplateDetailView which causes the exploit is nowhere in use in any components of Ansible. Hence, marking Ansible as affected for this vulnerability by reducing the severity from "medium" to "low" and making it as "delegated". Tracker for Ansible Tower 3.6 has been skipped as its already EOL. This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33203 This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070 |