Bug 1944801 (CVE-2021-28658) - CVE-2021-28658 django: potential directory-traversal via uploaded files
Summary: CVE-2021-28658 django: potential directory-traversal via uploaded files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-28658
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1946167 1946168 1946581 1945735 1945790 1945791 1946217 1946218 1946219 1946220 1946221 1946580 1946582 1948016 1952799
Blocks: 1944803
TreeView+ depends on / blocked
 
Reported: 2021-03-30 17:07 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
56 users (show)

Fixed In Version: python-django 2.2, python-django 3.0, python-django 3.1, python-django 3.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django. This flaw allows an attacker to upload specially-named files and exploit a flaw in the `MultiPartParser()` function to traverse directories. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-10-28 18:09:24 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:03 UTC
Red Hat Product Errata RHSA-2021:5070 0 None None None 2021-12-09 20:16:34 UTC

Description Guilherme de Almeida Suckevicz 2021-03-30 17:07:16 UTC 
'MultiPartParser' allowed directory-traversal via uploaded files with suitably crafted file names.
Comment 6 Oleksandr Saprykin 2021-03-31 14:21:12 UTC 
How can I get more details on the issue?
It doesn't look I can access CVE by the link in the title.
Comment 7 Tapas Jena 2021-04-01 12:42:10 UTC 
Ansible Tower doesn't use the vulnerable function i.e. "MultiPartParser" which causes Django vulnerable to this bug. Hence, marking Ansible Tower as "Not Affected".
Comment 8 Grant Gainey 2021-04-01 19:41:59 UTC 
pulp_ansible appears to use the affected entity:

  https://github.com/pulp/pulp_ansible/blob/master/pulp_ansible/app/viewsets.py#L280

pulpcore is currently planning a 3.12 release for 8-APR, if Django-2.2.20 is released we might want to up our current requirement from 2.2.19.
Comment 13 Guilherme de Almeida Suckevicz 2021-04-06 12:57:08 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1946581]
Affects: fedora-all [bug 1946580]
Affects: openstack-rdo [bug 1946582]
Comment 15 Nick Tait 2021-04-06 17:41:48 UTC 
External References:

https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
Comment 17 Yadnyawalk Tale 2021-04-09 19:30:39 UTC 
Django 1.11.29 and 1.11.13 is also affected as those uses `IE_sanitize` functions in source code. Django can not confirm this officially as its extended support ended on April 1, 2020: https://www.djangoproject.com/download/

django/http/multipartparser.py:
~~~
211                     file_name = disposition.get('filename')
212                     if file_name:
213                         file_name = force_text(file_name, encoding, errors='replace')
214                         file_name = self.IE_sanitize(unescape_entities(file_name))
215                     if not file_name:
216                         continue
...
306     def IE_sanitize(self, filename):
307         """Cleanup filename from Internet Explorer full paths."""
308         return filename and filename[filename.rfind("\\") + 1:].strip()
~~~
Comment 18 Yadnyawalk Tale 2021-04-09 19:55:37 UTC 
Statement:

Although Red Hat Ansible Tower ships the flawed code, it does not use the vulnerable function i.e. "MultiPartParser" and therefore will not be updated.

Red Hat Update Infrastructure ship affected version of python-django however RHUI v3 is in maintenance support phase and we are only fixing critical and important fixes. Please refer RHUI support lifecycle page for more information: https://access.redhat.com/support/policy/updates/rhui.
Comment 26 errata-xmlrpc 2021-11-16 14:08:00 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Comment 27 errata-xmlrpc 2021-12-09 20:16:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070
Note You need to log in before you can comment on or make changes to this bug.