Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1967409] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1967411] Affects: fedora-all [bug 1967410] Affects: openstack-rdo [bug 1967412]
For 1.11.x streams, code uses `os.path` instead of `pathlib.Path` but as the template input does not goes through `safe_join` this stream must be also affected by the vulnerability. However, as Django 1.11 LTS ended its extended support on April 1, 2020, we do not have its official fix from Django team. https://www.djangoproject.com/download/#supported-versions ~~~ 336 class TemplateDetailView(BaseAdminDocsView): 337 template_name = 'admin_doc/template_detail.html' 338 339 def get_context_data(self, **kwargs): 340 template = self.kwargs['template'] 341 templates = [] 342 try: 343 default_engine = Engine.get_default() 344 except ImproperlyConfigured: 345 # Non-trivial TEMPLATES settings aren't supported (#24125). 346 pass 347 else: 348 # This doesn't account for template loaders (#24128). 349 for index, directory in enumerate(default_engine.dirs): 350 template_file = os.path.join(directory, template) ^------------------------------------- old / vulnerable code ~~~
Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango, however, the vulnerable functionality i.e. admindocs/admin_doc TemplateDetailView which causes the exploit is nowhere in use in any components of Ansible. Hence, marking Ansible as affected for this vulnerability by reducing the severity from "medium" to "low" and making it as "delegated".
Tracker for Ansible Tower 3.6 has been skipped as its already EOL.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33203
This issue has been addressed in the following products: Red Hat Satellite 6.10 for RHEL 7 Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070