CVE-2021-31542 - Debian Debian Linux, Djangoproject Django and Fedoraproject Fedora
Critical 7.5
In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.
Affected software
Debian Debian Linux
Djangoproject Django
Fedoraproject Fedora
Reference links
- https://www.djangoproject.com/weblog/2021/may/04/security-releases/
- https://docs.djangoproject.com/en/3.2/releases/security/
- http://www.openwall.com/lists/oss-security/2021/05/04/3
- https://groups.google.com/forum/#!forum/django-announce
- https://lists.debian.org/debian-lts-announce/2021/05/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/