A flaw was found in Django. On Python 3.9.5+, ``URLValidator`` didn't prohibited newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because ``HttpResponse`` prohibit newlines in HTTP headers.
Upstream pull: https://github.com/django/django/pull/14349
External References: https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1957710]
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Created python-django tracking bugs for this issue: Affects: epel-all [bug 1958207] Affects: openstack-rdo [bug 1958208]
The current python version in case of Ansible Engine is 3.6.8 which is not vulnerable to the concerned vulnerability and the current python-django version in case of AAP 1.2 is 2.2.17 which is Affected. Since, Django itself is not vulnerable, marking AAP 1 with Python-Django as affected and Tower and AAP with only Django as "Not affected".
Statement: * Red Hat Gluster Storage 3 ships an old version of Django (v1.11.27) that provides support for Python 3.7, hence not affected by this vulnerability. * Red Hat Satellite and Red Hat Update Infrastructure ships affected versions of Django, however, products make use of Python 2.7 and Python 3.6 consumed from RHEL repository. Successful exploitation would require Support to Python version 3.9.5 onward hence products are not affected by this vulnerability. * Red Hat Ceph Storage (RHCS) 2 and 3 ship an affected version of Django.