Moderate severityNVD Advisory· Published Feb 2, 2021· Updated Aug 3, 2024
CVE-2021-3281
CVE-2021-3281
Description
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 2.2, < 2.2.18 | 2.2.18 |
DjangoPyPI | >= 3.1, < 3.1.6 | 3.1.6 |
DjangoPyPI | >= 3.0, < 3.0.12 | 3.0.12 |
Affected products
82- Django/Djangodescription
- osv-coords81 versionspkg:bitnami/djangopkg:pypi/djangopkg:rpm/suse/ardana-db&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-horizon&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-monasca&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-opsconsole-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/kibana&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/release-notes-hpe-helion-openstack&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-activerecord-session_store&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/sleshammer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/sleshammer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/spark&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/spark&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209
>= 2.2.0, < 2.2.18+ 80 more
- (no CPE)range: >= 2.2.0, < 2.2.18
- (no CPE)range: >= 2.2, < 2.2.18
- (no CPE)range: < 9.0+git.1611600773.5f1de5f-3.22.1
- (no CPE)range: < 8.0+git.1610733160.0f577f4-3.21.1
- (no CPE)range: < 8.0+git.1610733160.0f577f4-3.21.1
- (no CPE)range: < 9.0+git.1610491814.38661c2-3.16.1
- (no CPE)range: < 8.0+git.1610573640.452aed1-3.27.1
- (no CPE)range: < 8.0+git.1610573640.452aed1-3.27.1
- (no CPE)range: < 9.0+git.1610490922.d5f9813-3.16.1
- (no CPE)range: < 8.0+git.1610740501.5dca121-3.27.1
- (no CPE)range: < 8.0+git.1610740501.5dca121-3.27.1
- (no CPE)range: < 9.0+git.1610547641.d79ecfd-3.22.1
- (no CPE)range: < 8.0+git.1605176800.52cccfa-3.29.1
- (no CPE)range: < 8.0+git.1605176800.52cccfa-3.29.1
- (no CPE)range: < 9.0+git.1611867924.eb82818-4.16.1
- (no CPE)range: < 8.0+git.1610643571.91b88d6-3.52.1
- (no CPE)range: < 8.0+git.1610643571.91b88d6-3.52.1
- (no CPE)range: < 9.0+git.1610634027.5934cf8-3.25.1
- (no CPE)range: < 6.0+git.1611320924.849e748ff-3.34.1
- (no CPE)range: < 5.0+git.1610564036.b75ee1b-3.35.1
- (no CPE)range: < 4.0+git.1616146720.44daffca0-9.81.2
- (no CPE)range: < 5.0+git.1610402513.08dca931e-4.49.1
- (no CPE)range: < 6.0+git.1610402342.21499240d-3.31.1
- (no CPE)range: < 6.7.4-1.24.2
- (no CPE)range: < 4.6.3-3.6.1
- (no CPE)range: < 4.6.6-9.2
- (no CPE)range: < 4.6.3-3.6.1
- (no CPE)range: < 4.6.3-4.6.1
- (no CPE)range: < 4.6.3-3.6.1
- (no CPE)range: < 4.6.3-4.6.1
- (no CPE)range: < 20180608_12.47-16.2
- (no CPE)range: < 14.1.1~dev10-3.21.3
- (no CPE)range: < 14.1.1~dev10-3.21.3
- (no CPE)range: < 7.4.2~dev60-4.33.2
- (no CPE)range: < 7.4.2~dev60-4.33.2
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 13.0.8~dev147-3.34.2
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 13.0.8~dev147-3.34.2
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 11.0.9~dev69-3.40.1
- (no CPE)range: < 12.0.1~dev16-3.22.2
- (no CPE)range: < 12.0.1~dev16-3.22.2
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 18.3.1~dev78-3.34.2
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 18.3.1~dev78-3.34.2
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 16.1.9~dev78-3.45.1
- (no CPE)range: < 1.11.29-3.18.2
- (no CPE)range: < 1.11.29-3.18.2
- (no CPE)range: < 1.11.29-3.22.1
- (no CPE)range: < 1.8.19-3.29.1
- (no CPE)range: < 1.11.29-3.22.1
- (no CPE)range: < 1.11.29-3.22.1
- (no CPE)range: < 1.8.1-11.16.2
- (no CPE)range: < 8.20201214-3.29.1
- (no CPE)range: < 8.20201214-3.29.1
- (no CPE)range: < 9.20201214-3.27.2
- (no CPE)range: < 8.20201214-3.29.1
- (no CPE)range: < 9.20201214-3.27.2
- (no CPE)range: < 0.1.2-3.4.2
- (no CPE)range: < 0.8.0-0.20.2
- (no CPE)range: < 0.9.0-7.6.1
- (no CPE)range: < 1.6.3-8.6.1
- (no CPE)range: < 1.6.3-8.6.1
- (no CPE)range: < 1.6.3-8.6.1
- (no CPE)range: < 12.0.5~dev6-14.34.3
- (no CPE)range: < 14.1.1~dev10-4.25.2
- (no CPE)range: < 12.0.5~dev6-14.34.1
- (no CPE)range: < 7.4.2~dev60-3.27.2
- (no CPE)range: < 11.0.9~dev69-13.36.1
- (no CPE)range: < 11.0.9~dev69-13.36.1
- (no CPE)range: < 13.0.8~dev147-6.25.2
- (no CPE)range: < 16.1.9~dev78-11.34.1
- (no CPE)range: < 16.1.9~dev78-11.34.1
- (no CPE)range: < 18.3.1~dev78-3.25.2
Patches
Vulnerability mechanics
References
18- github.com/advisories/GHSA-fvgf-6h6h-3322ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-3281ghsaADVISORY
- docs.djangoproject.com/en/3.1/releases/3.0.12ghsaWEB
- docs.djangoproject.com/en/3.1/releases/securityghsaWEB
- docs.djangoproject.com/en/3.1/releases/security/mitrex_refsource_MISC
- github.com/django/django/commit/02e6592835b4559909aa3aaaf67988fef435f624ghsaWEB
- github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23ghsaWEB
- github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37ghsaWEB
- github.com/django/django/commit/52e409ed17287e9aabda847b6afe58be2fa9f86aghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-9.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOOghsaWEB
- security.netapp.com/advisory/ntap-20210226-0004ghsaWEB
- security.netapp.com/advisory/ntap-20210226-0004/mitrex_refsource_CONFIRM
- www.djangoproject.com/weblog/2021/feb/01/security-releasesghsaWEB
- www.djangoproject.com/weblog/2021/feb/01/security-releases/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.