In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:5498 advisory.

  - libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c (CVE-2021-3200)

  - foreman: Authenticate remote code execution through Sendmail configuration (CVE-2021-3584)

  - Satellite: Allow unintended SCA certificate to authenticate Candlepin (CVE-2021-4142)

  - netty: Information disclosure via the local system temporary directory (CVE-2021-21290)

  - netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - sidekiq: XSS via the queue name of the live-poll feature (CVE-2021-30151)

  - python-sqlparse: ReDoS via regular expression in StripComments filter (CVE-2021-32839)

  - libsolv: heap-based buffer overflow in pool_installable() in src/repo.h (CVE-2021-33928)

  - libsolv: heap-based buffer overflow in pool_disabled_solvable() in src/repo.h (CVE-2021-33929)

  - libsolv: heap-based buffer overflow in pool_installable_whatprovides() in src/repo.h (CVE-2021-33930)

  - libsolv: heap-based buffer overflow in prune_to_recommended() in src/policy.c (CVE-2021-33938)

  - rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma     (CVE-2021-41136)

  - logback: remote code execution through JNDI call from within its configuration file (CVE-2021-42550)

  - netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)

  - python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through (CVE-2021-43818)

  - django: potential bypass of an upstream access control based on URL paths (CVE-2021-44420)

  - libsolv: heap-overflows in resolve_dependencies function (CVE-2021-44568)

  - django: Denial-of-service possibility in UserAttributeSimilarityValidator (CVE-2021-45115)

  - django: Potential information disclosure in dictsort template filter (CVE-2021-45116)

  - django: Potential directory-traversal via Storage.save() (CVE-2021-45452)

  - django: Possible XSS via '{% debug %}' template tag (CVE-2022-22818)

  - rubygem-actionpack: information leak between requests (CVE-2022-23633)

  - rubygem-puma: rubygem-rails: information leak between requests (CVE-2022-23634)

  - django: Denial-of-service possibility in file uploads (CVE-2022-23833)

  - sidekiq: WebUI Denial of Service caused by number of days on graph (CVE-2022-23837)

  - Django: SQL injection in QuerySet.annotate(),aggregate() and extra() (CVE-2022-28346)

  - Django: SQL injection via QuerySet.explain(options) on PostgreSQL (CVE-2022-28347)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:0742 advisory.

  - django: potential bypass of an upstream access control based on URL paths (CVE-2021-44420)

  - python-django: Potential denial-of-service vulnerability in internationalized URLs (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:5498 advisory.

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

  - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when     Internet Explorer is used. (CVE-2021-30151)

  - Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp,     const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334,     which could cause a denial of service (CVE-2021-3200)

  - sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a     regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause     exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the     formatting feature that removes comments from SQL statements is affected by this regular expression. As a     workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-     comments command line flag when using the sqlformat command line tool. The issues has been fixed in     sqlparse 0.4.2. (CVE-2021-32839)

  - Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows     attackers to cause a Denial of Service. (CVE-2021-33928)

  - Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33929)

  - Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before     0.7.17 allows attackers to cause a Denial of Service. (CVE-2021-33930)

  - Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33938)

  - A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker     could use Sendmail configuration options to overwrite the defaults and perform command injection. The     highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed     releases are 2.4.1, 2.5.1, 3.0.0. (CVE-2021-3584)

  - Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with     a proxy which forwards HTTP header values which contain the LF character could allow HTTP request     smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to     another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is     Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via     HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two     requests, and when processing the second request, send back a response that the proxy does not expect. If     the proxy has reused the persistent connection to Puma to send another request for a different client, the     second response from the first client will be sent to the second client. This vulnerability was patched in     Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`. (CVE-2021-41136)

  - The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors     could allow an attacker to use the SCA (simple content access) certificate for authentication with     Candlepin. (CVE-2021-4142)

  - In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit     configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from     LDAP servers. (CVE-2021-42550)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML     Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG     files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should     upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. (CVE-2021-43818)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap     variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause     a remote Denial of Service. (CVE-2021-44568)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Action Pack is a framework for handling and responding to web requests. Under certain circumstances     response bodies will not be closed. In the event a response is *not* notified of a `close`,     `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead     to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and     5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-     wh98-p28r-vrc9 can be used. (CVE-2022-23633)

  - Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not     always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body     being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of     these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information     leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions     7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the     vulnerability. (CVE-2022-23634)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting     stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
    (CVE-2022-23837)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0005-1 advisory.

  - In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator     does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses     values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because     HttpResponse prohibits newlines in HTTP headers. (CVE-2021-32052)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

  - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.
    An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition     header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

  - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject     to a potential denial of service attack via the locale parameter, which is treated as a regular     expression. (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9341 advisory.

  - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two     content-length headers, it ignored the first header. When the second content-length value was set to zero,     the request body was interpreted as a pipelined request. (CVE-2020-10108)

  - In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a     content-length and a chunked encoding header, the content-length took precedence and the remainder of the     request body was interpreted as a pipelined request. (CVE-2020-10109)

  - A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly     imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote     attacker could exploit this flaw to run arbitrary HTML/JS code. (CVE-2020-27783)

  - In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The     load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward     compatibility with the function. (CVE-2017-18342)

  - Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via     django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of     arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by     application developers to also show file contents, then not only the existence but also the file contents     would have been exposed. In other words, there is directory traversal outside of the template root     directories. (CVE-2021-33203)

  - In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address,     and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a     bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address     are unaffected with Python 3.9.5+..) . (CVE-2021-33571)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and     FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
    (CVE-2021-31542)

  - In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory     traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected     by this vulnerability. (CVE-2021-28658)

  - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML     Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG     files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should     upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. (CVE-2021-43818)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 21.04 / 21.10 host has a package installed that is affected by a vulnerability as referenced in the USN-5178-1 advisory.

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194275	RHEL 7 / 8 : Satellite 6.11 Release (Moderate) (RHSA-2022:5498)	Nessus	Red Hat Local Security Checks	critical
194206	RHEL 8 : RHUI 4.3.0 - Security Fixes, Bug Fixes, and Enhancements Update (Low) (RHSA-2023:0742)	Nessus	Red Hat Local Security Checks	high
184590	Rocky Linux 8 : Satellite 6.11 Release (Moderate) (RLSA-2022:5498)	Nessus	Rocky Linux Local Security Checks	critical
169481	openSUSE 15 Security Update : python-Django (openSUSE-SU-2023:0005-1)	Nessus	SuSE Local Security Checks	critical
160271	Oracle Linux 8 : ol-automation-manager (ELSA-2022-9341)	Nessus	Oracle Linux Local Security Checks	critical
155938	Ubuntu 20.04 LTS : Django vulnerability (USN-5178-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-44420

high

Tenable Plugins

critical

high

critical

critical

critical

high