Access Control Bypass in Django Framework by Django Software Foundation
CVE-2021-44420

7.3HIGH

Key Information:

Vendor

Djangoproject

Status
Django
Vendor
CVE Published:
8 December 2021

What is CVE-2021-44420?

In certain versions of the Django framework, HTTP requests to URLs containing trailing newlines can circumvent upstream access control measures. This flaw may allow unauthorized access to sensitive resources based on URL paths, posing a security risk for web applications using vulnerable versions of Django. It highlights the importance of proper request handling and strict validation in web frameworks.

References

https://groups.google.com/forum/#%21forum/django-announce
x_refsource_MISC
https://docs.djangoproject.com/en/3.2/releases/security/
x_refsource_MISC
https://www.openwall.com/lists/oss-security/2021/12/07/1
x_refsource_CONFIRM

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.