Bug 1185713 – VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+

Bug 1185713 - (CVE-2021-32052) VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+

(CVE-2021-32052)
Summary:	VUL-0: CVE-2021-32052: python-Django,python-Django1: header injection possibi...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/283561/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-32052:5.4:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-05-06 11:23 UTC by Gianluca Gabrielli
Modified:	2023-01-03 14:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-05-06 11:23:02 UTC

CVE-2021-32052

A flaw was found in Django. On Python 3.9.5+, ``URLValidator`` didn't prohibited newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because ``HttpResponse`` prohibit newlines in HTTP headers.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1957455
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32052
http://seclists.org/oss-sec/2021/q2/104

Comment 1 Gianluca Gabrielli 2021-05-06 11:27:19 UTC

Affected packages:

 - SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/python-Django   1.8.19
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29
 - openSUSE:Factory/python-Django                                3.2

Upstream patches:

 - master [0]
 - 3.2 [1]
 - 3.1 [2]
 - 2.2 [3]

Additional information [4].


[0] https://github.com/django/django/commit/e1e81aa1c4427411e3c68facdd761229ffea6f6f
[1] https://github.com/django/django/commit/2d2c1d0c97832860fbd6597977e2aae17dd7e5b2
[2] https://github.com/django/django/commit/afb23f5929944a407e4990edef1c7806a94c9879
[3] https://github.com/django/django/commit/d9594c4ea57b6309d93879805302cec9ae9f23ff
[4] https://www.djangoproject.com/weblog/2021/may/06/security-releases/

Comment 2 Johannes Grassler 2021-05-06 15:49:07 UTC

We use Python 2 on all versions of SUSE OpenStack Cloud so this does not appear to  affect us.

Comment 3 Gianluca Gabrielli 2021-05-07 08:07:59 UTC

Hi Johannes, thanks to have pointed this out.

@Alberto, could you please fix this in Factory by bumping the package to version 3.2.2?

Comment 4 Alberto Planas Dominguez 2021-05-07 08:16:59 UTC

(In reply to Gianluca Gabrielli from comment #3)
> Hi Johannes, thanks to have pointed this out.
> 
> @Alberto, could you please fix this in Factory by bumping the package to
> version 3.2.2?

https://build.opensuse.org/request/show/891227

There are some missing deps versions, as asgiref.

Comment 5 Swamp Workflow Management 2023-01-03 14:22:41 UTC

openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1