In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3744 advisory.

  - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory     traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected     by this vulnerability. (CVE-2021-28658)

  - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and     FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
    (CVE-2021-31542)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9341 advisory.

  - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two     content-length headers, it ignored the first header. When the second content-length value was set to zero,     the request body was interpreted as a pipelined request. (CVE-2020-10108)

  - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a     content-length and a chunked encoding header, the content-length took precedence and the remainder of the     request body was interpreted as a pipelined request. (CVE-2020-10109)

  - A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly     imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote     attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

  - In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The     load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward     compatibility with the function. (CVE-2017-18342)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and     FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
    (CVE-2021-31542)

  - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory     traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected     by this vulnerability. (CVE-2021-28658)

  - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML     Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG     files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should     upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. (CVE-2021-43818)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5070 advisory.

  - django: Potential directory-traversal via archive.extract() (CVE-2021-3281)

  - django: potential directory-traversal via uploaded files (CVE-2021-28658)

  - django: Potential directory-traversal via uploaded files (CVE-2021-31542)

  - django: Potential directory traversal via ``admindocs`` (CVE-2021-33203)

  - django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4     addresses (CVE-2021-33571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4702 advisory.

  - python-ecdsa: Unexpected and  undocumented exceptions during signature decoding (CVE-2019-14853)

  - python-ecdsa: DER encoding is not being verified in signatures (CVE-2019-14859)

  - rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id     (CVE-2019-25025)

  - rake: OS Command Injection via egrep in Rake::FileList (CVE-2020-8130)

  - guava: local information disclosure via temporary directory created with unsafe permissions     (CVE-2020-8908)

  - PyYAML: incomplete fix for CVE-2020-1747 (CVE-2020-14343)

  - rubygem-nokogiri: XML external entity injection via Nokogiri::XML::Schema (CVE-2020-26247)

  - Satellite: Azure compute resource secret_key leak to authenticated users (CVE-2021-3413)

  - foreman: possible man-in-the-middle in smart_proxy realm_freeipa (CVE-2021-3494)

  - Satellite: BMC controller credential leak via API (CVE-2021-20256)

  - python-aiohttp: Open redirect in aiohttp.web_middlewares.normalize_path_middleware (CVE-2021-21330)

  - rubygem-actionpack: Possible Information Disclosure / Unintended Method Execution in Action Pack     (CVE-2021-22885)

  - rails: Possible Denial of Service vulnerability in Action Dispatch (CVE-2021-22902)

  - rails: Possible DoS Vulnerability in Action Controller Token Authentication (CVE-2021-22904)

  - django: potential directory-traversal via uploaded files (CVE-2021-28658)

  - rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS) (CVE-2021-29509)

  - django: Potential directory-traversal via uploaded files (CVE-2021-31542)

  - rubygem-addressable: ReDoS in templates (CVE-2021-32740)

  - django: Potential directory traversal via ``admindocs`` (CVE-2021-33203)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4     addresses (CVE-2021-33571)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4932-2 advisory.

  - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and     FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
    (CVE-2021-31542)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Django Release reports :

CVE-2021-31542:Potential directory-traversal via uploaded files.

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

It was discovered that there was potential directory-traversal vulnerability in Django, a popular Python-based web development framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments are rejected.

For Debian 9 'Stretch', this problem has been fixed in version 1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4932-1 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191437	Debian dla-3744 : python-django - security update	Nessus	Debian Local Security Checks	high
160271	Oracle Linux 8 : ol-automation-manager (ELSA-2022-9341)	Nessus	Oracle Linux Local Security Checks	critical
156005	RHEL 8 : Red Hat OpenStack Platform 16.1 (python-django20) (RHSA-2021:5070)	Nessus	Red Hat Local Security Checks	high
155377	RHEL 7 : Satellite 6.10 Release (Moderate) (RHSA-2021:4702)	Nessus	Red Hat Local Security Checks	critical
149474	Ubuntu 16.04 ESM : Django vulnerability (USN-4932-2)	Nessus	Ubuntu Local Security Checks	high
149341	FreeBSD : Django -- multiple vulnerabilities (1766359c-ad6e-11eb-b2a4-080027e50e6d)	Nessus	FreeBSD Local Security Checks	high
149339	Debian DLA-2651-1 : python-django security update	Nessus	Debian Local Security Checks	high
149251	Ubuntu 18.04 LTS / 20.04 LTS : Django vulnerability (USN-4932-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-31542

high

Tenable Plugins

high

critical

high

critical

high

high

high

high