Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2021-33571

Published: 08/06/2021 Updated: 07/12/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Django

Vulnerability Summary

In Django 2.2 prior to 2.2.24, 3.x prior to 3.1.12, and 3.2 prior to 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

djangoproject django

fedoraproject fedora 35

Vendor Advisories

Debian CVElist Bug Report Logs: python-django: CVE-2021-33203 & CVE-2021-33571
Debian Bug report logs - #989394 python-django: CVE-2021-33203 & CVE-2021-33571 Package: python-django; Maintainer for python-django is Debian Python Team <team+python@trackerdebianorg>; Source for python-django is src:python-django (PTS, buildd, popcon) Reported by: "Chris Lamb" <lamby@debianorg> Date: Wed, ...
Red Hat: CVE-2021-33571
A flaw was found in django Leading zeros in octal literals aren't prohibited in IP addresses If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks The highest threat from this vulnerability is to data integrity ...
Arch Linux Issues:
A security issue has been found in Django before version 324 URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks validate_ipv4_address() and validate_ipv46_address() validators were not affected ...

References

CWE-918https://groups.google.com/g/django-announce/c/sPyjSKMi8Eohttps://docs.djangoproject.com/en/3.2/releases/security/https://www.djangoproject.com/weblog/2021/jun/02/security-releases/https://security.netapp.com/advisory/ntap-20210727-0004/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fchttps://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118ehttps://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3dhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989394https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2021-33571
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991CVE-2024-32674path traversalCVE-2023-21987denial of servicedosCVE-2024-4647CVE-2024-25519CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook