CVE-2021-28658

Description

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

How to fix CVE-2021-28658

To remediate CVE-2021-28658, upgrade the affected package to a fixed version below.

• Bitnami/django—upgrade to 2.2.20 or later
• —upgrade to 2:2.2.20-1 or later
• —upgrade to 1:1.10.7-2+deb9u12 or later
• —upgrade to 1:1.11.29-1+deb10u11 or later
• —upgrade to 2.2.20 or later
• —upgrade to 2.2.20 or later

Is CVE-2021-28658 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 2.2.0, < 2.2.20, >= 3.0.0, < 3.0.14, >= 3.1.0, < 3.1.8
• from 0, < 2:2.2.20-1
• from 0, < 1:1.10.7-2+deb9u12
• from 0, < 1:1.11.29-1+deb10u11
• >= 2.2a1, < 2.2.20
• >= 2.2, < 2.2.20, >= 3.0, < 3.0.14, >= 3.1, < 3.1.8

CVSS scores

References (17)

• ADVISORYgithub.com/advisories/GHSA-xgxc-v2qg-chmh
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-28658
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-28658
• ADVISORYwww.djangoproject.com/weblog/2021/apr/06/security-releases/
• PATCH