Published: 06/04/2021 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

In Django 2.2 prior to 2.2.20, 3.0 prior to 3.0.14, and 3.1 prior to 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django
debian debian linux 9.0
fedoraproject fedora 34

Debian Bug report logs - #986447 python-django: CVE-2021-28658 Package: python-django; Maintainer for python-django is Debian Python Team <team+python@trackerdebianorg>; Source for python-django is src:python-django (PTS, buildd, popcon) Reported by: "Chris Lamb" <lamby@debianorg> Date: Tue, 6 Apr 2021 08:42:02 U ...

A security issue was discovered in Django before versions 318, 3014 and 2220 MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names Built-in upload handlers were not affected by this vulnerability ...

oss-sec mailing list archives   By Date By Thread </form>    Django: CVE-2021-28658: Potential directory-traversal via uploaded files   ...

CWE-22 https://groups.google.com/g/django-announce/c/ePr5j-ngdPU https://www.djangoproject.com/weblog/2021/apr/06/security-releases/https://docs.djangoproject.com/en/3.1/releases/security/https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html https://security.netapp.com/advisory/ntap-20210528-0001/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986447 https://nvd.nist.gov https://security.archlinux.org/CVE-2021-28658

CVE-2021-28658

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect