CVE-2021-3281

MEDIUM

Django <2.2.18-3.0.12-3.1.6 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-3281. PoCs published by HxDDD, lwzSoviet.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2021-3281, a directory traversal vulnerability in Django's archive extraction functionality. It includes a root cause analysis, patch details, and a proof-of-concept demonstration.

Description

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Exploits (2)

github WRITEUP 3 stars

by HxDDD · poc

https://github.com/HxDDD/CVE-PoC/tree/main/Django/(Directory Traversal) CVE-2021-3281.md

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2021-3281, a directory traversal vulnerability in Django's archive extraction functionality. It includes a root cause analysis, patch details, and a proof-of-concept demonstration.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Django 3.1.5

No auth needed

Prerequisites: Django 3.1.5 installation · Python 3.6.8 · malicious tar file with crafted filenames

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP 2 stars

by lwzSoviet · poc

https://github.com/lwzSoviet/CVE-2021-3281

View Code ZIP pw:eip

The repository provides a technical analysis of CVE-2021-3281, a directory traversal vulnerability in Django's `django.utils.archive.py` and Python's `tarfile.py`. It includes proof-of-concept code demonstrating how malicious tar archives can write files outside the intended directory on Windows systems.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Django (versions affected by CVE-2021-3281) and Python's tarfile module

No auth needed

Prerequisites: Access to a system where Django or Python's tarfile is used to extract untrusted archives

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List x_refsource_misc

https://groups.google.com/forum/#%21forum/django-announce

Patch, Vendor Advisory x_refsource_misc

https://docs.djangoproject.com/en/3.1/releases/security/

Vendor Advisory x_refsource_confirm

https://www.djangoproject.com/weblog/2021/feb/01/security-releases/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20210226-0004/

Scores

CVSS v3 5.3

EPSS 0.4148

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-22

Status published

Products (4)

djangoproject/django 2.2 - 2.2.18

fedoraproject/fedora 33

netapp/snapcenter

pypi/Django 2.2 - 2.2.18PyPI

Published Feb 02, 2021

Tracked Since Feb 18, 2026