CVE-2021-44420

NameCVE-2021-44420
DescriptionIn Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)stretch1:1.10.7-2+deb9u9fixed
stretch (security)1:1.10.7-2+deb9u17fixed
buster, buster (security)1:1.11.29-1~deb10u1vulnerable
bullseye2:2.2.26-1~deb11u1fixed
bookworm2:3.2.13-1fixed
sid2:4.0.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcestretch(not affected)
python-djangosourcebullseye2:2.2.25-1~deb11u1
python-djangosource(unstable)2:3.2.10-1

Notes

[buster] - python-django <no-dsa> (Minor issue)
[stretch] - python-django <not-affected> (Vulnerable code not present; path converters added later)
https://www.openwall.com/lists/oss-security/2021/12/07/1
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a (3.2.10)
https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (2.2.25)

Search for package or bug name: Reporting problems