Bug 1966251 (CVE-2021-33203) - CVE-2021-33203 django: Potential directory traversal via ``admindocs``
Summary: CVE-2021-33203 django: Potential directory traversal via ``admindocs``
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33203
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1967141 1967409 1967411 1967412 1973745 1973746 1967139 1967140 1967143 1967410 1968063 1968066 1968086 1968300 1968301 1968302 1972021 1973744
Blocks: 1966255
TreeView+ depends on / blocked
 
Reported: 2021-05-31 18:05 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
59 users (show)

Fixed In Version: Django 3.2.4, Django 3.1.12, Django 2.2.24
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-09-15 18:21:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3490 0 None None None 2021-09-15 06:38:24 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:16 UTC
Red Hat Product Errata RHSA-2021:5070 0 None None None 2021-12-09 20:16:40 UTC

Description Pedro Sampaio 2021-05-31 18:05:07 UTC
Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

Comment 2 Summer Long 2021-06-03 06:21:25 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1967409]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1967411]
Affects: fedora-all [bug 1967410]
Affects: openstack-rdo [bug 1967412]

Comment 7 Yadnyawalk Tale 2021-06-04 19:52:35 UTC
For 1.11.x streams, code uses `os.path` instead of `pathlib.Path` but as the template input does not goes through `safe_join` this stream must be also affected by the vulnerability. However, as Django 1.11 LTS ended its extended support on April 1, 2020, we do not have its official fix from Django team.
https://www.djangoproject.com/download/#supported-versions

~~~
336 class TemplateDetailView(BaseAdminDocsView):
337     template_name = 'admin_doc/template_detail.html'
338 
339     def get_context_data(self, **kwargs):
340         template = self.kwargs['template']
341         templates = []
342         try:
343             default_engine = Engine.get_default()
344         except ImproperlyConfigured:
345             # Non-trivial TEMPLATES settings aren't supported (#24125).
346             pass
347         else:
348             # This doesn't account for template loaders (#24128).
349             for index, directory in enumerate(default_engine.dirs):
350                 template_file = os.path.join(directory, template)
                                   ^------------------------------------- old / vulnerable code
~~~

Comment 13 Tapas Jena 2021-06-18 15:42:23 UTC
Analysis is complete for Ansible. As a result, it was found that, AAP 1.2 is using the affected version of DJango, however, the vulnerable functionality i.e. admindocs/admin_doc TemplateDetailView which causes the exploit is nowhere in use in any components of Ansible. Hence, marking Ansible as affected for this vulnerability by reducing the severity from "medium" to "low" and making it as "delegated".

Comment 15 Tapas Jena 2021-06-18 15:45:54 UTC
Tracker for Ansible Tower 3.6 has been skipped as its already EOL.

Comment 21 errata-xmlrpc 2021-09-15 06:38:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3490 https://access.redhat.com/errata/RHSA-2021:3490

Comment 22 Product Security DevOps Team 2021-09-15 18:21:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33203

Comment 23 errata-xmlrpc 2021-11-16 14:08:14 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702

Comment 24 errata-xmlrpc 2021-12-09 20:16:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5070 https://access.redhat.com/errata/RHSA-2021:5070


Note You need to log in before you can comment on or make changes to this bug.