Bug 1966251 (CVE-2021-33203)

Summary: CVE-2021-33203 django: Potential directory traversal via ``admindocs``
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, davidn, ehelms, flucifre, gblomqui, gmeno, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, jsherril, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, mhulan, michel, mmccune, mrunge, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, rchan, rdopiera, relrod, rjerrido, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sokeeffe, sostapov, tkuratom, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 3.2.4, Django 3.1.12, Django 2.2.24 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-15 18:21:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1967409, 1967411, 1973745, 1973746, 1967139, 1967140, 1967141, 1967143, 1967410, 1967412, 1968063, 1968066, 1968086, 1968300, 1968301, 1968302, 1972021, 1973744    
Bug Blocks: 1966255    

Description Pedro Sampaio 2021-05-31 18:05:07 UTC 
Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
Comment 2 Summer Long 2021-06-03 06:21:25 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1967409]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1967411]
Affects: fedora-all [bug 1967410]
Affects: openstack-rdo [bug 1967412]
Comment 7 Yadnyawalk Tale 2021-06-04 19:52:35 UTC 
For 1.11.x streams, code uses `os.path` instead of `pathlib.Path` but as the template input does not goes through `safe_join` this stream must be also affected by the vulnerability. However, as Django 1.11 LTS ended its extended support on April 1, 2020, we do not have its official fix from Django team.
https://www.djangoproject.com/download/#supported-versions

~~~
336 class TemplateDetailView(BaseAdminDocsView):
337     template_name = 'admin_doc/template_detail.html'
338 
339     def get_context_data(self, **kwargs):
340         template = self.kwargs['template']
341         templates = []
342         try:
343             default_engine = Engine.get_default()
344         except ImproperlyConfigured:
345             # Non-trivial TEMPLATES settings aren't supported (#24125).
346             pass
347         else:
348             # This doesn't account for template loaders (#24128).
349             for index, directory in enumerate(default_engine.dirs):
350                 template_file = os.path.join(directory, template)
                                   ^------------------------------------- old / vulnerable code
~~~
Comment 13 Tapas Jena 2021-06-18 15:42:23 UTC 
Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango, however, the vulnerable functionality i.e. admindocs/admin_doc TemplateDetailView which causes the exploit is nowhere in use in any components of Ansible. Hence, marking Ansible as affected for this vulnerability by reducing the severity from "medium" to "low" and making it as "delegated".
Comment 15 Tapas Jena 2021-06-18 15:45:54 UTC 
Tracker for Ansible Tower 3.6 has been skipped as its already EOL.
Comment 21 errata-xmlrpc 2021-09-15 06:38:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490
Comment 22 Product Security DevOps Team 2021-09-15 18:21:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33203
Comment 23 errata-xmlrpc 2021-11-16 14:08:14 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Comment 24 errata-xmlrpc 2021-12-09 20:16:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070