Bug 1186608 - (CVE-2021-33203) VUL-0: CVE-2021-33203: python-Django,python-Django1: Potential directory traversal via admindocs
(CVE-2021-33203)
VUL-0: CVE-2021-33203: python-Django,python-Django1: Potential directory trav...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-28 13:42 UTC by Gianluca Gabrielli
Modified: 2021-07-29 09:20 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch (5.21 KB, patch)
2021-05-28 13:44 UTC, Gianluca Gabrielli
Details | Diff
patch (5.24 KB, patch)
2021-05-28 13:44 UTC, Gianluca Gabrielli
Details | Diff
patch (4.31 KB, patch)
2021-05-28 13:45 UTC, Gianluca Gabrielli
Details | Diff
Patch for Django 2.2.x (3.42 KB, patch)
2021-05-28 13:46 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-28 13:42:41 UTC
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
Comment 3 Gianluca Gabrielli 2021-05-28 13:44:13 UTC
Affected packages:
 
 - openSUSE:Factory/python-Django  3.2.3
Comment 4 Gianluca Gabrielli 2021-05-28 13:44:38 UTC
Created attachment 849776 [details]
patch
Comment 5 Gianluca Gabrielli 2021-05-28 13:44:56 UTC
Created attachment 849777 [details]
patch
Comment 6 Gianluca Gabrielli 2021-05-28 13:45:12 UTC
Created attachment 849778 [details]
patch
Comment 7 Gianluca Gabrielli 2021-05-28 13:46:46 UTC
Created attachment 849779 [details]
Patch for Django 2.2.x
Comment 10 Marcus Meissner 2021-06-07 11:22:08 UTC
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

is public

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.

This issue has low severity, according to the Django security policy.

Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report.
Comment 12 Swamp Workflow Management 2021-06-11 16:20:48 UTC
SUSE-SU-2021:1963-1: An update that fixes 10 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1044849,1179805,1181379,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2019-25025,CVE-2020-29651,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-3281,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-11435
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2, grafana-6.7.4-1.24.2, kibana-4.6.6-9.2, monasca-installer-20180608_12.47-16.2, python-Django-1.8.19-3.29.1, python-py-1.8.1-11.16.2, rubygem-activerecord-session_store-0.1.2-3.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-06-11 16:28:35 UTC
SUSE-SU-2021:1962-1: An update that fixes 23 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1044849,1048688,1115960,1148383,1170657,1171909,1172409,1172450,1174583,1178243,1179805,1181277,1181278,1181689,1181690,1182317,1182433,1183174,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2018-19039,CVE-2019-15043,CVE-2019-25025,CVE-2020-10743,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-17516,CVE-2020-24303,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-10357,SOC-11453
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    cassandra-3.11.10-3.3.3, crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, rubygem-activerecord-session_store-0.1.2-4.3.2
SUSE OpenStack Cloud 9 (src):    ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2, ardana-swift-9.0+git.1618235096.90974ed-3.10.2, cassandra-3.11.10-3.3.3, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, venv-openstack-barbican-7.0.1~dev24-3.23.1, venv-openstack-cinder-13.0.10~dev20-3.26.1, venv-openstack-designate-7.0.2~dev2-3.23.1, venv-openstack-glance-17.0.1~dev30-3.21.1, venv-openstack-heat-11.0.4~dev4-3.23.1, venv-openstack-horizon-14.1.1~dev11-4.27.3, venv-openstack-ironic-11.1.5~dev17-4.21.2, venv-openstack-keystone-14.2.1~dev4-3.24.3, venv-openstack-magnum-7.2.1~dev1-4.23.1, venv-openstack-manila-7.4.2~dev60-3.29.1, venv-openstack-monasca-2.7.1~dev10-3.21.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.23.2, venv-openstack-neutron-13.0.8~dev164-6.27.3, venv-openstack-nova-18.3.1~dev82-3.27.3, venv-openstack-octavia-3.2.3~dev7-4.23.1, venv-openstack-sahara-9.0.2~dev15-3.23.1, venv-openstack-swift-2.19.2~dev48-2.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-07-28 19:22:29 UTC
SUSE-SU-2021:2554-1: An update that solves 16 vulnerabilities, contains 10 features and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1019074,1044849,1057496,1073879,1113302,1123064,1143893,1166139,1176784,1179805,1180507,1181277,1181278,1181689,1181828,1182433,1183174,1183803,1184148,1185623,1185836,1186608,1186611,940812
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2017-5929,CVE-2019-25025,CVE-2020-17516,CVE-2020-26247,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-21419,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: ECO-3105,PM-2352,SCRD-8523,SOC-11422,SOC-11470,SOC-11471,SOC-11521,SOC-11523,SOC-11525,SOC-9876
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    cassandra-3.11.10-5.3.5, crowbar-core-5.0+git.1622489449.a8e60e238-3.50.4, crowbar-openstack-5.0+git.1616001417.67fd9c2a1-4.52.5, documentation-suse-openstack-cloud-deployment-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, rubygem-activerecord-session_store-0.1.2-3.3.2
SUSE OpenStack Cloud 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-suse-openstack-cloud-installation-8.20210512-1.32.5, documentation-suse-openstack-cloud-operations-8.20210512-1.32.5, documentation-suse-openstack-cloud-opsconsole-8.20210512-1.32.5, documentation-suse-openstack-cloud-planning-8.20210512-1.32.5, documentation-suse-openstack-cloud-security-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, documentation-suse-openstack-cloud-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-12.0.5~dev6-14.36.6, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3
HPE Helion Openstack 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-hpe-helion-openstack-installation-8.20210512-1.32.5, documentation-hpe-helion-openstack-operations-8.20210512-1.32.5, documentation-hpe-helion-openstack-opsconsole-8.20210512-1.32.5, documentation-hpe-helion-openstack-planning-8.20210512-1.32.5, documentation-hpe-helion-openstack-security-8.20210512-1.32.5, documentation-hpe-helion-openstack-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-hpe-12.0.5~dev6-14.36.3, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Christian Almeida de Oliveira 2021-07-29 09:20:43 UTC
SOC fixes included in the last MU's. Back to security team.