CVE-2021-3281

MEDIUM

Django <2.2.18-3.0.12-3.1.6 - Path Traversal

Title source: llm

Description

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Exploits (2)

github WRITEUP 3 stars

by HxDDD · poc

https://github.com/HxDDD/CVE-PoC/tree/main/Django/(Directory Traversal) CVE-2021-3281.md

View Code ZIP pw:eip

nomisec WRITEUP 2 stars

by lwzSoviet · poc

https://github.com/lwzSoviet/CVE-2021-3281

View Code ZIP pw:eip

References (5)

[Patch, Vendor Advisory] https://docs.djangoproject.com/en/3.1/releases/security/

[Mailing List] https://groups.google.com/forum/#%21forum/django-announce

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210226-0004/

[Vendor Advisory] https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/

Scores

CVSS v3 5.3

EPSS 0.4148

EPSS Percentile 97.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-22

Status published

Products (4)

djangoproject/django 2.2 - 2.2.18

fedoraproject/fedora 33

netapp/snapcenter

pypi/Django 2.2 - 2.2.18PyPI

Published Feb 02, 2021

Tracked Since Feb 18, 2026