CVE-2021-44420
Potential bypass of an upstream access control based on URL paths in Django
7.3
HIGH
CVSS 3.1
EPSS 0.13%
Description
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
How to fix CVE-2021-44420
To remediate CVE-2021-44420, upgrade the affected package to a fixed version below.
- Bitnami/django—upgrade to 2.2.25 or later
- —upgrade to 2:2.2.25-1~deb11u1 or later
- —upgrade to 2.2.25 or later
- —upgrade to 2.2.25 or later
Is CVE-2021-44420 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- >= 2.2.0, < 2.2.25, >= 3.1.0, < 3.1.14, >= 3.2.0, < 3.2.10
- from 0, < 2:2.2.25-1~deb11u1
- >= 2.2a1, < 2.2.25
- >= 2.2, < 2.2.25, >= 3.1, < 3.1.14, >= 3.2, < 3.2.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |