CVE-2021-3281
django: Potential directory-traversal via archive.extract()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
En Django versiones 2.2 anteriores a 2.2.18, versiones 3.0 anteriores a 3.0.12 y versiones 3.1 anteriores a 3.1.6, el método django.utils.archive.extract (usado por "startapp --template" y "startproject --template") permite un salto de directorios por medio de un archivo con rutas absolutas o rutas relativas con segmentos de puntos
A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.
Red Hat Ansible Automation Platform integrates Red Hat's automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine, Automation Hub and use-case specific capabilities for Microsoft Windows, network, security, and more, along with Software-as-a-Service -based capabilities and features for organization-wide effectiveness. This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section. Issues addressed include code execution, denial of service, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-22 CVE Reserved
- 2021-02-01 CVE Published
- 2021-07-05 First Exploit
- 2024-08-03 CVE Updated
- 2025-04-02 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/forum/#%21forum/django-announce | X_refsource_misc | |
| https://security.netapp.com/advisory/ntap-20210226-0004 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/lwzSoviet/CVE-2021-3281 | 2021-07-05 |
| URL | Date | SRC |
|---|---|---|
| https://docs.djangoproject.com/en/3.1/releases/security | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 2.2 < 2.2.18 Search vendor "Djangoproject" for product "Django" and version " >= 2.2 < 2.2.18" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 3.0 < 3.0.12 Search vendor "Djangoproject" for product "Django" and version " >= 3.0 < 3.0.12" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 3.1 < 3.1.6 Search vendor "Djangoproject" for product "Django" and version " >= 3.1 < 3.1.6" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Search vendor "Netapp" for product "Snapcenter" | - | - |
Affected
| ||||||