CVE-2021-33571

django: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

En Django versiones 2.2 anteriores a 2.2.24, versiones 3.x anteriores a 3.1.12 y versiones 3.2 anteriores a 3.2.4, las funciones URLValidator, validate_ipv4_address y validate_ipv46_address no prohíben los caracteres cero a la izquierda en los literales octales. Esto puede permitir una omisión del control de acceso basado en las direcciones IP. (validate_ipv4_address y validate_ipv46_address no se ven afectados con Python versión 3.9.5+)

A flaw was found in django. Leading zeros in octal literals aren't prohibited in IP addresses. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks. The highest threat from this vulnerability is to data integrity.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-25 CVE Reserved
2021-06-03 CVE Published
2024-02-22 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (10)

URL	Tag	Source
https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo	Mailing List
https://security.netapp.com/advisory/ntap-20210727-0004	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://docs.djangoproject.com/en/3.2/releases/security	2023-12-07
https://www.djangoproject.com/weblog/2021/jun/02/security-releases	2023-12-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV	2023-12-07
https://access.redhat.com/security/cve/CVE-2021-33571	2021-12-09
https://bugzilla.redhat.com/show_bug.cgi?id=1966253	2021-12-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 2.2 < 2.2.24 Search vendor "Djangoproject" for product "Django" and version " >= 2.2 < 2.2.24"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.0 < 3.1.12 Search vendor "Djangoproject" for product "Django" and version " >= 3.0 < 3.1.12"		-		Affected
Djangoproject Search vendor "Djangoproject"		Django Search vendor "Djangoproject" for product "Django"				>= 3.2 < 3.2.4 Search vendor "Djangoproject" for product "Django" and version " >= 3.2 < 3.2.4"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected