Log

AVG-2026 edited at 02 Jun 2021 10:43:33
Severity
- Low
+ Medium
CVE-2021-33571 edited at 02 Jun 2021 10:43:33
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Insufficient validation
Description
+ A security issue has been found in Django before version 3.2.4. URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.
References
+ https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses
+ https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
Notes
AVG-2026 edited at 02 Jun 2021 10:41:00
Severity
- Unknown
+ Low
CVE-2021-33203 edited at 02 Jun 2021 10:41:00
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Information disclosure
Description
+ A security issue has been found in Django before version 3.2.4. Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.
References
+ https://www.djangoproject.com/weblog/2021/jun/02/security-releases/#s-cve-2021-33203-potential-directory-traversal-via-admindocs
+ https://github.com/django/django/commit/dfaba12cda060b8b292ae1d271b44bf810b1c5b9
Notes
AVG-2026 created at 02 Jun 2021 10:39:09
Packages
+ python-django
Issues
+ CVE-2021-33203
+ CVE-2021-33571
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 3.2.3-2
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-33203 created at 02 Jun 2021 10:39:09
AVG-2026 created at 02 Jun 2021 10:39:09
Packages
+ python-django
Issues
+ CVE-2021-33203
+ CVE-2021-33571
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 3.2.3-2
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-33571 created at 02 Jun 2021 10:39:09
AVG-2023 edited at 02 Jun 2021 08:29:56
Status
- Vulnerable
+ Testing
Fixed
+ 13.12.2-1
Notes
- The advisory contains nine more security issues for which a CVE ID has been request, but has not been assigned yet.
+ The advisory contains nine more security issues for which a CVE ID has been requested, but has not been assigned yet.
CVE-2021-22181 edited at 02 Jun 2021 08:29:21
Description
- A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 before 13.12.2, 13.11.5, and 13.10.5 allows an attacker to create a recursive pipeline relationship and exhaust resources.
+ A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 before 13.12.2 allows an attacker to create a recursive pipeline relationship and exhaust resources.
AVG-1905 edited at 02 Jun 2021 08:28:51
Affected
- 13.11.4-1
+ 13.12.2-1
Notes
- RDoc version 6.2.0 and Action Pack version 6.0.3.6 are bundled in Gitaly version 13.11.4.
+ RDoc version 6.2.0 and Action Pack version 6.0.3.6 are bundled in Gitaly version 13.12.2.
AVG-1904 edited at 02 Jun 2021 08:28:23
Notes
- RDoc version 6.2.0 and Action Pack version 6.0.3.6 are bundled in GitLab version 13.11.3.
+ RDoc version 6.1.2 and Action Pack version 6.0.3.6 are bundled in GitLab version 13.12.2.
AVG-1904 edited at 02 Jun 2021 08:27:10
Affected
- 13.11.3-1
+ 13.12.2-1
Notes
- RDoc version 6.1.2 and Action Pack version 6.0.3.6 are bundled in GitLab version 13.11.3.
+ RDoc version 6.2.0 and Action Pack version 6.0.3.6 are bundled in GitLab version 13.11.3.
CVE-2020-22037 edited at 02 Jun 2021 08:20:50
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Denial of service
Description
+ A denial of service vulnerability exists in FFmpeg 4.2 due to a memory leak in avcodec_alloc_context3 at options.c.
References
+ https://trac.ffmpeg.org/ticket/8281