First published: Mon May 31 2021(Updated: )
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python-django20 | <0:2.0.13-16.el8 | 0:2.0.13-16.el8 |
redhat/python3-django | <0:2.2.24-1.el7 | 0:2.2.24-1.el7 |
Djangoproject Django | <2.2.24 | |
Djangoproject Django | >=3.0.0<3.1.12 | |
Djangoproject Django | >=3.2.0<3.2.4 | |
Fedoraproject Fedora | =35 | |
redhat/Django | <3.2.4 | 3.2.4 |
redhat/Django | <3.1.12 | 3.1.12 |
redhat/Django | <2.2.24 | 2.2.24 |
pip/Django | >=3.2<3.2.4 | 3.2.4 |
pip/Django | >=3.0<3.1.12 | 3.1.12 |
pip/django | <2.2.24 | 2.2.24 |
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-33203 is a vulnerability in Django versions before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 that allows staff members to perform directory traversal and check the existence of arbitrary files.
CVE-2021-33203 has a severity rating of 4.9, which is considered medium.
To fix CVE-2021-33203, update your Django version to 2.2.24, 3.1.12, or 3.2.4, depending on your current Django version.
You can find more information about CVE-2021-33203 on the NVD website, Django security releases page, and the Django Announce group.
The CWE for CVE-2021-33203 is CWE-22.