CVE-2021-33203
MEDIUMDjango <2.2.24, 3.x <3.1.12, 3.2.x <3.2.4 - Path Traversal
Title source: llmDescription
Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
References (5)
Core 5
Core References
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21forum/django-announce
Patch, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/3.2/releases/security/
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210727-0004/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
Scores
CVSS v3
4.9
EPSS
0.0274
EPSS Percentile
84.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (3)
djangoproject/django
< 2.2.24
fedoraproject/fedora
35
pypi/Django
0 - 2.2.24PyPI
Published
Jun 08, 2021
Tracked Since
Feb 18, 2026