What is CVE-2021-33203?

CVE-2021-33203 is a vulnerability in Django versions before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 that allows staff members to perform directory traversal and check the existence of arbitrary files.

How severe is CVE-2021-33203?

CVE-2021-33203 has a severity rating of 4.9, which is considered medium.

How can I fix CVE-2021-33203?

To fix CVE-2021-33203, update your Django version to 2.2.24, 3.1.12, or 3.2.4, depending on your current Django version.

Where can I find more information about CVE-2021-33203?

You can find more information about CVE-2021-33203 on the NVD website, Django security releases page, and the Django Announce group.

What is the Common Weakness Enumeration (CWE) for CVE-2021-33203?

The CWE for CVE-2021-33203 is CWE-22.

Vulnerability/
CVE-2021-33203

medium

4.9

CWE

31/5/2021

2/6/2021

10/6/2021

5/9/2023

CVE-2021-33203: Path Traversal

First published: Mon May 31 2021(Updated: )

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/python-django20	<0:2.0.13-16.el8	0:2.0.13-16.el8
redhat/python3-django	<0:2.2.24-1.el7	0:2.2.24-1.el7
Djangoproject Django	<2.2.24
Djangoproject Django	>=3.0.0<3.1.12
Djangoproject Django	>=3.2.0<3.2.4
Fedoraproject Fedora	=35
pip/django	>=3.2.0<3.2.4	3.2.4
pip/django	>=3.0.0<3.1.12	3.1.12
pip/django	<2.2.24	2.2.24

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-33203?
CVE-2021-33203 is a vulnerability in Django versions before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 that allows staff members to perform directory traversal and check the existence of arbitrary files.
How severe is CVE-2021-33203?
CVE-2021-33203 has a severity rating of 4.9, which is considered medium.
How can I fix CVE-2021-33203?
To fix CVE-2021-33203, update your Django version to 2.2.24, 3.1.12, or 3.2.4, depending on your current Django version.
Where can I find more information about CVE-2021-33203?
You can find more information about CVE-2021-33203 on the NVD website, Django security releases page, and the Django Announce group.
What is the Common Weakness Enumeration (CWE) for CVE-2021-33203?
The CWE for CVE-2021-33203 is CWE-22.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/github-advisory
alias/GHSA-68w8-qjq3-2gfm
alias/CVE-2021-33203
collector/github-advisory-latest
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/redhat-cve
package-manager/pip
vendor/djangoproject
canonical/djangoproject django
version/djangoproject django/3.0.0
version/djangoproject django/3.2.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
package-manager/redhat