Bugzilla – Bug 1193240
VUL-0: CVE-2021-44420: python-Django,python-Django1: Potential bypass of an upstream access control based on URL paths
Last modified: 2023-01-03 14:22:54 UTC
Created attachment 854183 [details] Upstream patch 2.2
Created attachment 854184 [details] Upstream patch 3.1
Created attachment 854185 [details] Upstream patch 3.2
Created attachment 854186 [details] Upstream patch 4.0
Created attachment 854187 [details] Upstream patch
This is now public. ------------------- CVE-2021-44420: Potential bypass of an upstream access control based on URL paths ================================================================================= HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths. This issue has low severity, according to the Django security policy. Thanks to Sjoerd Job Postmus and TengMA(@te3t123) for the report. Affected supported versions =========================== * Django main branch * Django 4.0 (which will be released in a separate blog post later today) * Django 3.2 * Django 3.1 * Django 2.2 Resolution ========== Patches to resolve the issue have been applied to Django's main branch and the 4.0, 3.2, 3.1, and 2.2 release branches. The patches may be obtained from the following changesets: * On the `main branch <https://github.com/django/django/commit/d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6>`__ * On the `4.0 release branch <https://github.com/django/django/commit/20b9ad36ff0558b819659a10a9734262367750be>`__ * On the `3.2 release branch <https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a>`__ * On the `3.1 release branch <https://github.com/django/django/commit/22bd17488159601bf0741b70ae7932bffea8eced>`__ * On the `2.2 release branch <https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7>`__ The following releases have been issued: * Django 3.2.10 (`download Django 3.2.10 <https://www.djangoproject.com/m/releases/3.2/Django-3.2.10.tar.gz>`_ | `3.2.10 checksums <https://www.djangoproject.com/m/pgp/Django-3.2.10.checksum.txt>`_) * Django 3.1.14 (`download Django 3.1.14 <https://www.djangoproject.com/m/releases/3.1/Django-3.1.14.tar.gz>`_ | `3.1.14 checksums <https://www.djangoproject.com/m/pgp/Django-3.1.14.checksum.txt>`_) * Django 2.2.25 (`download Django 2.2.25 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.25.tar.gz>`_ | `2.2.25 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.25.checksum.txt>`_)
Please submit to the following packages: - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django 1.11.29 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1 1.11.29 - openSUSE:Factory/python-Django 3.2.9 - openSUSE:Backports:SLE-15-SP2/python-Django 2.2.12 - openSUSE:Backports:SLE-15-SP3/python-Django 2.2.12 - openSUSE:Backports:SLE-15-SP2/python-Django1 1.11.28 - openSUSE:Backports:SLE-15-SP3/python-Django1 1.11.28
Fergal will look into this for the Cloud repos - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1
(In reply to Jeremy Moffitt from comment #10) > Fergal will look into this for the Cloud repos > - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django > - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1 Looking into this, I'm not sure that this patch is applicable to version 1.11.x, as used in the SOC 8 & 9 products. While some of the code in the patch appears to exist in the older Django release, the calling code has been significantly changed as part of the implementation of the DEP 0201[1][2][3] functionality, which changed how URL/path related pattern matching was handled, including adding in the concept of whether a pattern is an endpoint or not, and special processing for key elements in the URL/path. That special processing appears to be the enabler for this exploit, and the endpoint concept is a key part of this CVE fix, originally reported as Django issue #30530[4]. As such I don't believe that this fix is applicable to Django 1.1.x, and I'm not even sure that the exploit is even applicable to the 1.11.x stream, as the older version of the URL/path pattern matching mechanism doesn't support automated special handling for the regex decoded fields, instead just returning the decoded string values; the calling application would have to implement any such special handling. Links: ----------------------- [1] https://github.com/django/deps/blob/main/final/0201-simplified-routing-syntax.rst [2] https://code.djangoproject.com/ticket/28593 [3] https://github.com/django/django/pull/7482 [4] https://code.djangoproject.com/ticket/30530
based on comment #11, no impact on SOC products. Back to Security team.
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793 CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): python-Django-2.2.28-bp153.2.3.1