NVD Vulnerability Detail

CVE-2021-28658

Summary	In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Publication Date	April 7, 2021, 12:15 a.m.
Registration Date	April 7, 2021, 10:04 a.m.
Last Update	Nov. 21, 2024, 3 p.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Related information, measures and tools

No	URL	タグ
1	https://docs.djangoproject.com/en/3.1/releases/security/	Vendor Advisory
2	https://docs.djangoproject.com/en/3.1/releases/security/	Vendor Advisory
3	https://groups.google.com/g/django-announce/c/ePr5j-ngdPU	Mailing List Third Party Advisory
4	https://groups.google.com/g/django-announce/c/ePr5j-ngdPU	Mailing List Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html	Mailing List Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html	Mailing List Third Party Advisory
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
9	https://security.netapp.com/advisory/ntap-20210528-0001/	Third Party Advisory
10	https://security.netapp.com/advisory/ntap-20210528-0001/	Third Party Advisory
11	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/	Vendor Advisory
12	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Django におけるパストラバーサルの脆弱性

Title	Django におけるパストラバーサルの脆弱性
Summary	Django には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 6, 2021, midnight
Registration Date	Dec. 15, 2021, 5:55 p.m.
Last Update	Dec. 15, 2021, 5:55 p.m.

Affected System

Debian

Debian GNU/Linux

Fedora Project

Fedora

Django Software Foundation

Django 2.2.20 未満の 2.2

Django 3.0.14 未満の 3.0

Django 3.1.8 未満の 3.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-28658	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
National Vulnerability Database (NVD)
2	CVE-2021-28658	https://nvd.nist.gov/vuln/detail/CVE-2021-28658

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 2622-1] python-django security update	https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html
Django Software Foundation
2	Archive of security issues	https://docs.djangoproject.com/en/3.1/releases/security/
3	Django security releases issued: 3.1.8, 3.0.14, and 2.2.20	https://www.djangoproject.com/weblog/2021/apr/06/security-releases/
Fedora Update Notification
4	FEDORA-2021-01044b8a59	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/

Change Log

No	Changed Details	Date of change
1	[2021年12月15日] 掲載	Dec. 15, 2021, 5:55 p.m.