CVE-2021-44420

NameCVE-2021-44420
DescriptionIn Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie, jessie (lts)1.7.11-1+deb8u17fixed
stretch (security)1:1.10.7-2+deb9u17fixed
stretch (lts), stretch1:1.10.7-2+deb9u23fixed
buster, buster (lts)1:1.11.29-1+deb10u12fixed
buster (security)1:1.11.29-1+deb10u11fixed
bullseye (security), bullseye2:2.2.28-1~deb11u2fixed
bookworm (security), bookworm3:3.2.19-1+deb12u1fixed
trixie3:4.2.16-1fixed
sid3:4.2.17-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcejessie(not affected)
python-djangosourcestretch(not affected)
python-djangosourcebuster(not affected)
python-djangosourcebullseye2:2.2.25-1~deb11u1
python-djangosource(unstable)2:3.2.10-1

Notes

[buster] - python-django <not-affected> (Vulnerable code not present; is_endpoint support added later)
[stretch] - python-django <not-affected> (Vulnerable code not present; path converters added later)
https://www.openwall.com/lists/oss-security/2021/12/07/1
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
https://github.com/django/django/commit/333c65603032c377e682cdbd7388657a5463a05a (3.2.10)
https://github.com/django/django/commit/7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 (2.2.25)
[jessie] - python-django <not-affected> (Vulnerable code not present; path converters added later)

Search for package or bug name: Reporting problems