2028178 – (CVE-2021-44420) CVE-2021-44420 django: potential bypass of an upstream access control based on URL paths

Bug 2028178 (CVE-2021-44420) - CVE-2021-44420 django: potential bypass of an upstream access control based on URL paths

Summary: CVE-2021-44420 django: potential bypass of an upstream access control based o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-44420
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2029746 2037442 2037443 2037444 2028856 2028861 2029745 2029747 2029748 2034247 2035391 2035392
Blocks:	2028181
TreeView+	depends on / blocked

Reported:	2021-12-01 16:29 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-03-21 14:49 UTC (History)
CC List:	59 users (show)
Fixed In Version:	django 3.2.10, django 3.1.14, django 2.2.25
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 19:41:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:27:03 UTC
Red Hat Product Errata	RHSA-2023:0742	0	None	None	None	2023-02-13 12:00:36 UTC

Description Guilherme de Almeida Suckevicz 2021-12-01 16:29:31 UTC

HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths.

Comment 6 Tapas Jena 2021-12-03 06:49:03 UTC

Added the missing affects for Ansible_Automation_platform 2.0

Comment 9 Marian Rehak 2021-12-07 08:32:26 UTC

Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 2029745]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2029746]
Affects: fedora-all [bug 2029748]
Affects: openstack-rdo [bug 2029747]

Comment 17 errata-xmlrpc 2022-07-05 14:27:00 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498

Comment 18 Product Security DevOps Team 2022-07-05 19:41:36 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44420

Comment 19 errata-xmlrpc 2023-02-13 12:00:33 UTC

This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:0742 https://access.redhat.com/errata/RHSA-2023:0742

Note You need to log in before you can comment on or make changes to this bug.

amctagga
anharris
apevec
bbuckingham
bcoca
bcourt
bkearney
bniver
btotty
caswilli
davidn
dbecker
ehelms
flucifre
gblomqui
gmeno
hvyas
jal233
jcammara
jhardy
jjoyce
jobarker
jschluet
jsherril
jwong
kaycoth
lhh
lpeer
lzap
mabashia
mbenjamin
mburns
mhackett
mhroncok
mhulan
michel
mmccune
mrunge
myarboro
nmoumoul
notting
orabin
osapryki
pcreech
rchan
rdopiera
relrod
rhos-maint
rpetrell
sclewis
security-response-team
sgallagh
slavek.kabrda
slinaber
smcdonal
sostapov
tkuratom
vereddy
ytale