Bug 1919969 (CVE-2021-3281) - CVE-2021-3281 django: Potential directory-traversal via archive.extract()
Summary: CVE-2021-3281 django: Potential directory-traversal via archive.extract()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1923732 1923735 1920447 1920448 1920449 1920450 1921162 1922559 1923733 1923734 1923983 1925122 1931446 1934375 1934376 1935678 1935679 1973468
Blocks: 1919992
TreeView+ depends on / blocked
 
Reported: 2021-01-25 13:40 UTC by Michael Kaplan
Modified: 2024-02-14 11:37 UTC (History)
57 users (show)

Fixed In Version: Django 2.2.18, Django 3.0.12, Django 3.1.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
Clone Of:
Environment:
Last Closed: 2021-03-09 21:05:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0780 0 None None None 2021-03-09 16:02:27 UTC
Red Hat Product Errata RHSA-2021:0781 0 None None None 2021-03-09 15:14:54 UTC
Red Hat Product Errata RHSA-2021:3490 0 None None None 2021-09-15 06:38:20 UTC
Red Hat Product Errata RHSA-2021:5070 0 None None None 2021-12-09 20:16:34 UTC

Description Michael Kaplan 2021-01-25 13:40:07 UTC 
The ``django.utils.archive.extract()`` function, used by ``startapp --template`` and ``startproject --template``, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
Comment 5 Mauro Matteo Cascella 2021-02-01 18:14:19 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1923735]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1923732]
Affects: fedora-all [bug 1923733]
Affects: openstack-rdo [bug 1923734]
Comment 7 Mauro Matteo Cascella 2021-02-01 18:18:01 UTC 
Upstream fix:
https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23 [master]
https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed [3.2]
https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624 [3.1]
https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a [3.0]
https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37 [2.2]
Comment 15 errata-xmlrpc 2021-03-09 15:14:44 UTC 
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 7
  Red Hat Automation Hub 4.2 for RHEL 8

Via RHSA-2021:0781 https://access.redhat.com/errata/RHSA-2021:0781
Comment 16 errata-xmlrpc 2021-03-09 16:02:25 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.8 for RHEL 7

Via RHSA-2021:0780 https://access.redhat.com/errata/RHSA-2021:0780
Comment 17 Product Security DevOps Team 2021-03-09 21:05:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3281
Comment 18 Nick Tait 2021-04-03 16:14:15 UTC 
Statement:

The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low:
* Red Hat Gluster Storage 3
* Red Hat Update Infrastructure 3

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-twisted package.
Comment 20 errata-xmlrpc 2021-09-15 06:38:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490
Comment 21 errata-xmlrpc 2021-12-09 20:16:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070
Comment 22 Alfredo Moralejo 2024-02-14 11:36:08 UTC 
Fixed in current version of django in RDO python-django-3.2.12-1.el9s  python-django-4.2.6-1.el9s
Note You need to log in before you can comment on or make changes to this bug.