Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2021-33571 - log back

CVE-2021-33571 edited at 02 Jun 2021 10:43:33

Severity

-	Unknown
+	Medium

Remote

-	Unknown
+	Remote

Type

-	Unknown
+	Insufficient validation

Description

+

A security issue has been found in Django before version 3.2.4. URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.

References

+	https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses
+	https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d

Notes

CVE-2021-33571 created at 02 Jun 2021 10:39:09