Vulnerability Description
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | >= 2.2, < 2.2.18 |
| Fedoraproject | Fedora | 33 |
| Netapp | Snapcenter | - |
Related Weaknesses (CWE)
References
- https://docs.djangoproject.com/en/3.1/releases/security/PatchVendor Advisory
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20210226-0004/Third Party Advisory
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/Vendor Advisory
- https://docs.djangoproject.com/en/3.1/releases/security/PatchVendor Advisory
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20210226-0004/Third Party Advisory
- https://www.djangoproject.com/weblog/2021/feb/01/security-releases/Vendor Advisory
FAQ
What is CVE-2021-3281?
CVE-2021-3281 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal v...
How severe is CVE-2021-3281?
CVE-2021-3281 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3281?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Fedoraproject Fedora, Netapp Snapcenter.