—

PYSEC-2021-7

Details

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 2.2 Fixed in: 2.2.21

Fix pip install --upgrade 'django>=2.2.21'

References

https://www.djangoproject.com/weblog/2021/may/04/security-releases/ [ARTICLE]
https://docs.djangoproject.com/en/3.2/releases/security/ [WEB]
http://www.openwall.com/lists/oss-security/2021/05/04/3 [WEB]
https://groups.google.com/forum/#!forum/django-announce [WEB]
https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/ [WEB]
https://github.com/advisories/GHSA-rxjp-mfm9-w4wr [ADVISORY]