CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
53.5%
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with
Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless
the URLField form field is used). If an application uses values with
newlines in an HTTP response, header injection can occur. Django itself is
unaffected because HttpResponse prohibits newlines in HTTP headers.
Author | Note |
---|---|
alexmurray | Requires Python 3.9.5 or greater which is only present in impish+ |
mdeslaur | Python 3.9.5 is now being backported to focal+, so this now needs to be fixed While this was originally marked as not-affected for bionic, a subsequent security update introduced the behaviour change in bionic which resulted in this CVE needing to be fixed. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-django | < 1:1.11.11-1ubuntu1.17 | UNKNOWN |
ubuntu | 20.04 | noarch | python-django | < 2:2.2.12-1ubuntu0.7 | UNKNOWN |
ubuntu | 20.10 | noarch | python-django | < 2:2.2.16-1ubuntu0.5 | UNKNOWN |
ubuntu | 21.04 | noarch | python-django | < 2:2.2.20-1ubuntu0.2 | UNKNOWN |
ubuntu | 21.10 | noarch | python-django | < 2:2.2.22-1 | UNKNOWN |
ubuntu | 22.04 | noarch | python-django | < 2:2.2.22-1 | UNKNOWN |
www.openwall.com/lists/oss-security/2021/05/06/1
docs.djangoproject.com/en/3.2/releases/security/
groups.google.com/forum/#!forum/django-announce
launchpad.net/bugs/cve/CVE-2021-32052
nvd.nist.gov/vuln/detail/CVE-2021-32052
security-tracker.debian.org/tracker/CVE-2021-32052
ubuntu.com/security/notices/USN-4975-1
ubuntu.com/security/notices/USN-5373-1
ubuntu.com/security/notices/USN-5373-2
www.cve.org/CVERecord?id=CVE-2021-32052
www.djangoproject.com/weblog/2021/may/06/security-releases/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
53.5%