CVE-2021-31542 — HIGH (7.5)

Q: What is CVE-2021-31542?

CVE-2021-31542 is a vulnerability with a CVSS score of 7.5 (HIGH). In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Q: How severe is CVE-2021-31542?

CVE-2021-31542 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-31542?

Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Djangoproject	Django	>= 2.2, < 2.2.21
Debian	Debian Linux	9.0
Fedoraproject	Fedora	34

Related Weaknesses (CWE)

CWE-22

References

http://www.openwall.com/lists/oss-security/2021/05/04/3Mailing ListPatchThird Party Advisory
https://docs.djangoproject.com/en/3.2/releases/security/PatchVendor Advisory
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48
https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007
https://groups.google.com/forum/#%21forum/django-announce
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.netapp.com/advisory/ntap-20210618-0001/Third Party Advisory
https://www.djangoproject.com/weblog/2021/may/04/security-releases/Release NotesVendor Advisory
http://www.openwall.com/lists/oss-security/2021/05/04/3Mailing ListPatchThird Party Advisory
https://docs.djangoproject.com/en/3.2/releases/security/PatchVendor Advisory
https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d
https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48

FAQ

What is CVE-2021-31542?

CVE-2021-31542 is a vulnerability with a CVSS score of 7.5 (HIGH). In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

How severe is CVE-2021-31542?

CVE-2021-31542 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-31542?

Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Debian Debian Linux, Fedoraproject Fedora.