Bug 1954294 (CVE-2021-31542) - CVE-2021-31542 django: Potential directory-traversal via uploaded files
Summary: CVE-2021-31542 django: Potential directory-traversal via uploaded files
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31542
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1956044 1961136 1961137 1961138 1966901 1966902 1956040 1956041 1956042 1956043 1956045 1958303 1958354 1960882 1960883 1961135 1961139
Blocks: 1954296
TreeView+ depends on / blocked
 
Reported: 2021-04-27 20:30 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
58 users (show)

Fixed In Version: Django 3.2.1, Django 3.1.9, Django 2.2.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django. `MultiPartParser`, `UploadedFile`, and `FieldFile` allowed directory-traversal via uploaded files with suitably crafted file names. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-12-09 20:34:32 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:08 UTC
Red Hat Product Errata RHSA-2021:5070 0 None None None 2021-12-09 20:16:35 UTC

Description Pedro Sampaio 2021-04-27 20:30:53 UTC 
A flaw was found in django. ``MultiPartParser``, ``UploadedFile``, and ``FieldFile`` allowed directory-traversal via uploaded files with suitably crafted file names.
Comment 2 Hardik Vyas 2021-05-04 11:03:12 UTC 
Upstream fixes:

[main branch] https://github.com/django/django/commit/0b79eb36915d178aef5c6a7bbce71b1e76d376d3
[3.2 branch] https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007
[3.1 branch] https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48
[2.2 branch] https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
Comment 3 Hardik Vyas 2021-05-04 11:03:20 UTC 
External References:

https://www.djangoproject.com/weblog/2021/may/04/security-releases/
Comment 6 Yadnyawalk Tale 2021-05-07 17:27:50 UTC 
Statement:

Red Hat Update Infrastructure is in the maintenance phase and we will not be fixing Medium/Low impact security bugs. Reference: https://access.redhat.com/support/policy/updates/rhui
Comment 9 Hardik Vyas 2021-05-17 10:36:11 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1961136]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1961137]
Affects: fedora-all [bug 1961135]
Affects: openstack-rdo [bug 1961138]
Comment 11 Tapas Jena 2021-06-02 07:20:56 UTC 
Analysis is complete for AAP 1.2 and Ansible Tower. Below are my observations:
> The PulpCore component of AAP 1.2 is found to be using the affected Libs/Functionalities i.e. UploadedFile. Also, AAP 1.2 as a whole affected to this vulnerability as its using affected version of Django i.e. django-2.2.16. Hence, marking it as "Affected".
  -> manifest.txt:ansible_automation_platform:1.2::el7/django-2.2.16
> When it comes to Tower, though its using the affected Django version i.e. django-2.2.11, None of the vulnerable Libs/Functions are being used in Tower. Hence, marking it as "Not Affected".
Comment 18 errata-xmlrpc 2021-11-16 14:08:05 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702
Comment 19 errata-xmlrpc 2021-12-09 20:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070
Comment 20 Product Security DevOps Team 2021-12-09 20:34:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31542
Note You need to log in before you can comment on or make changes to this bug.