CVE-2021-31542

HIGH

Django 2.2-2.2.20, 3.1-3.1.8, 3.2-3.2.0 - Path Traversal via Uploaded File Name

Title source: llm

Description

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

References (11)

Core 11

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/

Mailing List, Patch, Third Party Advisory

http://www.openwall.com/lists/oss-security/2021/05/04/3

Patch, Vendor Advisory

https://docs.djangoproject.com/en/3.2/releases/security/

Mailing List

https://groups.google.com/forum/#%21forum/django-announce

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210618-0001/

Release Notes, Vendor Advisory

https://www.djangoproject.com/weblog/2021/may/04/security-releases/

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html

Patch

https://github.com/django/django/commit/04ac1624bdc2fa737188401757cf95ced122d26d

View Patch ZIP pw:eip

Patch

https://github.com/django/django/commit/25d84d64122c15050a0ee739e859f22ddab5ac48

View Patch ZIP pw:eip

Patch

https://github.com/django/django/commit/c98f446c188596d4ba6de71d1b77b4a6c5c2a007

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0529

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (5)

debian/debian_linux 9.0

djangoproject/django 2.2 - 2.2.21

fedoraproject/fedora 34

fedoraproject/fedora 35

pypi/Django 2.2 - 2.2.21PyPI

Published May 05, 2021

Tracked Since Feb 18, 2026