Description
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
References (6)
Core 6
Core References
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21forum/django-announce
Patch, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/3.2/releases/security/
Mailing List, Patch, Third Party Advisory x_refsource_confirm
https://www.openwall.com/lists/oss-security/2021/12/07/1
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211229-0006/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
Scores
CVSS v3
7.3
EPSS
0.0012
EPSS Percentile
30.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
Status
published
Products (9)
canonical/ubuntu_linux
20.04
canonical/ubuntu_linux
21.04
canonical/ubuntu_linux
21.10
debian/debian_linux
10.0
debian/debian_linux
11.0
djangoproject/django
2.2 - 2.2.25
fedoraproject/fedora
35
pypi/Django
2.2a1 - 2.2.25PyPI
redhat/satellite
6.0
Published
Dec 08, 2021
Tracked Since
Feb 18, 2026