CVE-2021-32052
MEDIUMDjango 2.2-2.2.21, 3.1-3.1.9, 3.2-3.2.1 - Header Injection via URLValidator
Title source: llmDescription
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
References (6)
Core 6
Core References
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21forum/django-announce
Patch, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/3.2/releases/security/
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2021/05/06/1
Patch, Vendor Advisory x_refsource_misc
https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210611-0002/
Scores
CVSS v3
6.1
EPSS
0.0315
EPSS Percentile
86.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
djangoproject/django
2.2 - 2.2.22
fedoraproject/fedora
34
pypi/Django
2.2 - 2.2.22PyPI
Published
May 06, 2021
Tracked Since
Feb 18, 2026