ASA-202106-41 log generated external raw

[ASA-202106-41] python-django: multiple issues
Arch Linux Security Advisory ASA-202106-41 ========================================== Severity: Medium Date : 2021-06-15 CVE-ID : CVE-2021-33203 CVE-2021-33571 Package : python-django Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2026 Summary ======= The package python-django before version 3.2.4-1 is vulnerable to multiple issues including insufficient validation and directory traversal. Resolution ========== Upgrade to 3.2.4-1. # pacman -Syu "python-django>=3.2.4-1" The problems have been fixed upstream in version 3.2.4. Workaround ========== None. Description =========== - CVE-2021-33203 (directory traversal) A security issue has been found in Django before version 3.2.4. Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. - CVE-2021-33571 (insufficient validation) A security issue has been found in Django before version 3.2.4. URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. Impact ====== User accounts with staff privileges could check for the existence of arbitrary files, and possibly disclose their contents. Additionally, leading zeros in IPv4 addresses could be used to bypass IP-based access restrictions. References ========== https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33203-potential-directory-traversal-via-admindocs https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9 https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d https://security.archlinux.org/CVE-2021-33203 https://security.archlinux.org/CVE-2021-33571

[ASA-202106-41] python-django: multiple issues

Arch Linux Security Advisory ASA-202106-41 ========================================== Severity: Medium Date : 2021-06-15 CVE-ID : CVE-2021-33203 CVE-2021-33571 Package : python-django Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2026 Summary ======= The package python-django before version 3.2.4-1 is vulnerable to multiple issues including insufficient validation and directory traversal. Resolution ========== Upgrade to 3.2.4-1. # pacman -Syu "python-django>=3.2.4-1" The problems have been fixed upstream in version 3.2.4. Workaround ========== None. Description =========== - CVE-2021-33203 (directory traversal) A security issue has been found in Django before version 3.2.4. Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. - CVE-2021-33571 (insufficient validation) A security issue has been found in Django before version 3.2.4. URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+. Impact ====== User accounts with staff privileges could check for the existence of arbitrary files, and possibly disclose their contents. Additionally, leading zeros in IPv4 addresses could be used to bypass IP-based access restrictions. References ========== https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33203-potential-directory-traversal-via-admindocs https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9 https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d https://security.archlinux.org/CVE-2021-33203 https://security.archlinux.org/CVE-2021-33571