{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-02-26T08:06:39", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"}, {"name": "FEDORA-2021-5329c680f7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-3281", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!forum/django-announce", "refsource": "MISC", "url": "https://groups.google.com/forum/#!forum/django-announce"}, {"name": "https://docs.djangoproject.com/en/3.1/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"name": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"}, {"name": "FEDORA-2021-5329c680f7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"}, {"name": "https://security.netapp.com/advisory/ntap-20210226-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T16:53:17.221Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"}, {"name": "FEDORA-2021-5329c680f7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-3281", "datePublished": "2021-02-02T06:16:28", "dateReserved": "2021-01-22T00:00:00", "dateUpdated": "2024-08-03T16:53:17.221Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "46A5C187-6988-47C2-9557-51DA3B5A5E43", "versionEndExcluding": "2.2.18", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC2B0286-FDDA-45E1-9996-FA5B8C53F0B1", "versionEndExcluding": "3.0.12", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6BDD7A-AB21-442B-8137-7508B7E72ACC", "versionEndExcluding": "3.1.6", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments."}, {"lang": "es", "value": "En Django versiones 2.2 anteriores a 2.2.18, versiones 3.0 anteriores a 3.0.12 y versiones 3.1 anteriores a 3.1.6, el m\u00e9todo django.utils.archive.extract (usado por \"startapp --template\" y \"startproject --template\") permite un salto de directorios por medio de un archivo con rutas absolutas o rutas relativas con segmentos de puntos"}], "id": "CVE-2021-3281", "lastModified": "2024-11-21T06:21:12.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-02T07:15:14.020", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/3.1/releases/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210226-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:0780", "cpe": "cpe:/a:redhat:ansible_automation_platform:3.8::el7", "package": "ansible-tower-38/ansible-runner-rhel7:1.4.7-1", "product_name": "Red Hat Ansible Tower 3.8 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0780", "cpe": "cpe:/a:redhat:ansible_automation_platform:3.8::el7", "package": "ansible-tower-38/ansible-tower-rhel7:3.8.2-1", "product_name": "Red Hat Ansible Tower 3.8 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "automation-hub-0:4.2.2-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python3-django-0:2.2.18-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-bleach-0:3.3.0-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-bleach-allowlist-0:1.0.3-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-galaxy-importer-0:0.2.15-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-galaxy-ng-0:4.2.2-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package": "python-pulp-ansible-1:0.5.6-1.el7pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 7", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "automation-hub-0:4.2.2-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python3-django-0:2.2.18-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-bleach-0:3.3.0-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-bleach-allowlist-0:1.0.3-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-galaxy-importer-0:0.2.15-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-galaxy-ng-0:4.2.2-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:0781", "cpe": "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package": "python-pulp-ansible-1:0.5.6-1.el8pc", "product_name": "Red Hat Automation Hub 4.2 for RHEL 8", "release_date": "2021-03-09T00:00:00Z"}, {"advisory": "RHSA-2021:5070", "cpe": "cpe:/a:redhat:openstack:16.1::el8", "package": "python-django20-0:2.0.13-16.el8ost.1", "product_name": "Red Hat OpenStack Platform 16.1", "release_date": "2021-12-09T00:00:00Z"}, {"advisory": "RHSA-2021:3490", "cpe": "cpe:/a:redhat:openstack:16.2::el8", "package": "python-django20-0:2.0.13-16.el8ost.1", "product_name": "Red Hat OpenStack Platform 16.2", "release_date": "2021-09-15T00:00:00Z"}], "bugzilla": {"description": "django: Potential directory-traversal via archive.extract()", "id": "1919969", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1919969"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments.", "A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments."], "name": "CVE-2021-3281", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "django", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Fix deferred", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2021-02-01T10:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3281\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3281"], "statement": "The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low:\n* Red Hat Gluster Storage 3\n* Red Hat Update Infrastructure 3\nBecause the flaw's impact is lower and Red Hat OpenStack Platform 13 will be retiring soon, no update will be provided at this time for the RHOSP13 python-django package.", "threat_severity": "Moderate"}