Main Vulnerability Database SB2021020117

SB2021020117 - Path traversal in Django

Published: February 1, 2021 Updated: July 5, 2021

Security Bulletin ID SB2021020117

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2021-3281)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences inside archives with "django.utils.archive.extract()" function. A remote attacker can pass specially crafted archive to the application and write files to arbitrary directory on the system.

Remediation

Install update from vendor's website.

References

https://www.djangoproject.com/weblog/2021/feb/01/security-releases/