CVE-2021-3281: Path Traversal
First published: Mon Jan 25 2021(Updated: )
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/django | >=3.0<3.0.12 | 3.0.12 |
| pip/django | >=3.1<3.1.6 | 3.1.6 |
| pip/django | >=2.2<2.2.18 | 2.2.18 |
| redhat/automation-hub | <0:4.2.2-1.el7 | 0:4.2.2-1.el7 |
| redhat/python3-django | <0:2.2.18-1.el7 | 0:2.2.18-1.el7 |
| redhat/python-bleach | <0:3.3.0-1.el7 | 0:3.3.0-1.el7 |
| redhat/python-bleach-allowlist | <0:1.0.3-1.el7 | 0:1.0.3-1.el7 |
| redhat/python-galaxy-importer | <0:0.2.15-1.el7 | 0:0.2.15-1.el7 |
| redhat/python-galaxy-ng | <0:4.2.2-1.el7 | 0:4.2.2-1.el7 |
| redhat/python-pulp-ansible | <1:0.5.6-1.el7 | 1:0.5.6-1.el7 |
| redhat/automation-hub | <0:4.2.2-1.el8 | 0:4.2.2-1.el8 |
| redhat/python3-django | <0:2.2.18-1.el8 | 0:2.2.18-1.el8 |
| redhat/python-bleach | <0:3.3.0-1.el8 | 0:3.3.0-1.el8 |
| redhat/python-bleach-allowlist | <0:1.0.3-1.el8 | 0:1.0.3-1.el8 |
| redhat/python-galaxy-importer | <0:0.2.15-1.el8 | 0:0.2.15-1.el8 |
| redhat/python-galaxy-ng | <0:4.2.2-1.el8 | 0:4.2.2-1.el8 |
| redhat/python-pulp-ansible | <1:0.5.6-1.el8 | 1:0.5.6-1.el8 |
| redhat/python-django20 | <0:2.0.13-16.el8 | 0:2.0.13-16.el8 |
| Djangoproject Django | >=2.2<2.2.18 | |
| Djangoproject Django | >=3.0<3.0.12 | |
| Djangoproject Django | >=3.1<3.1.6 | |
| Fedoraproject Fedora | =33 | |
| Netapp Snapcenter | ||
| redhat/Django | <2.2.18 | 2.2.18 |
| redhat/Django | <3.0.12 | 3.0.12 |
| redhat/Django | <3.1.6 | 3.1.6 |
| >=2.2<2.2.18 | ||
| >=3.0<3.0.12 | ||
| >=3.1<3.1.6 | ||
| =33 | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-3281 https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- https://bugzilla.redhat.com/show_bug.cgi?id=1919969
- https://access.redhat.com/errata/RHSA-2021:0780
- https://access.redhat.com/errata/RHSA-2021:0781
- https://access.redhat.com/errata/RHSA-2021:5070
- https://access.redhat.com/errata/RHSA-2021:3490
- https://access.redhat.com/security/cve/cve-2021-3281
- https://docs.djangoproject.com/en/3.1/releases/security/
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- https://security.netapp.com/advisory/ntap-20210226-0004/
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1923735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1923732
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1923733
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1923734
- https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
- https://github.com/django/django/commit/f944f79e555c91571192022a6bb9ddf2178db7ed
- https://github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624
- https://github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86a
- https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- https://docs.djangoproject.com/en/3.1/releases/3.0.12
- https://docs.djangoproject.com/en/3.1/releases/security
- https://github.com/advisories/GHSA-fvgf-6h6h-3322 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO
- https://security.netapp.com/advisory/ntap-20210226-0004
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-3281.
What is the severity of CVE-2021-3281?
The severity of CVE-2021-3281 is medium with a severity value of 5.3.
What is the affected software?
The affected software is Django versions 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6.
How can this vulnerability be exploited?
This vulnerability can be exploited through a directory traversal attack using an archive with absolute paths or relative paths with dot segments.
Where can I find more information about CVE-2021-3281?
You can find more information about CVE-2021-3281 in the following references: [link1], [link2], [link3].
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/author
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3281
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-fvgf-6h6h-3322
- agent/last-modified-date
- agent/references
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- package-manager/redhat
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/2.2
- version/djangoproject django/3.0
- version/djangoproject django/3.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- vendor/netapp
- canonical/netapp snapcenter
- package-manager/pip