CVE-2021-31542 — Path Traversal in Django

Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

How to fix CVE-2021-31542

To remediate CVE-2021-31542, upgrade the affected package to a fixed version below.

Bitnami/django—upgrade to 2.2.21 or later
—upgrade to 2:2.2.21-1 or later
—upgrade to 1:1.10.7-2+deb9u13 or later
—upgrade to 2.2.21 or later
—upgrade to 2.2.21 or later

Is CVE-2021-31542 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

>= 2.2.0, < 2.2.21, >= 3.1.0, < 3.1.9, >= 3.2.0, < 3.2.1
from 0, < 2:2.2.21-1
from 0, < 1:1.10.7-2+deb9u13
>= 2.2, < 2.2.21
>= 2.2, < 2.2.21, >= 3.1, < 3.1.9, >= 3.2, < 3.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (25)

ADVISORYgithub.com/advisories/GHSA-rxjp-mfm9-w4wr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-31542
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-31542
ADVISORYwww.djangoproject.com/weblog/2021/may/04/security-releases/
PATCH