CVE-2021-33571
django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .
En Django versiones 2.2 anteriores a 2.2.24, versiones 3.x anteriores a 3.1.12 y versiones 3.2 anteriores a 3.2.4, las funciones URLValidator, validate_ipv4_address y validate_ipv46_address no prohíben los caracteres cero a la izquierda en los literales octales. Esto puede permitir una omisión del control de acceso basado en las direcciones IP. (validate_ipv4_address y validate_ipv46_address no se ven afectados con Python versión 3.9.5+)
A flaw was found in django. Leading zeros in octal literals aren't prohibited in IP addresses. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. The highest threat from this vulnerability is to data integrity.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-25 CVE Reserved
- 2021-06-03 CVE Published
- 2024-02-22 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (10)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://docs.djangoproject.com/en/3.2/releases/security | 2023-12-07 | |
https://www.djangoproject.com/weblog/2021/jun/02/security-releases | 2023-12-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 2.2 < 2.2.24 Search vendor "Djangoproject" for product "Django" and version " >= 2.2 < 2.2.24" | - |
Affected
| ||||||
Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 3.0 < 3.1.12 Search vendor "Djangoproject" for product "Django" and version " >= 3.0 < 3.1.12" | - |
Affected
| ||||||
Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 3.2 < 3.2.4 Search vendor "Djangoproject" for product "Django" and version " >= 3.2 < 3.2.4" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
|