CVE-2021-45116
django: Potential information disclosure in dictsort template filter
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
Se ha detectado un problema en Django versiones 2.2 anteriores a 2.2.26, 3.2 anteriores a 3.2.11 y 4.0 anteriores a 4.0.1. Debido al aprovechamiento de la lógica de resolución de variables del lenguaje de plantillas de Django, el filtro de plantillas dictsort era potencialmente vulnerable a una divulgación de información, o a una llamada de método no intencionada, si le es pasada una clave apropiadamente diseñada.
An information-disclosure flaw was found in Django, where the dictsort filter in Django's Template Language did not correctly validate user input. A network attacker could exploit this flaw using a suitably crafted key to force information disclosure or unintended method calls.
Chris Bailey discovered that Django incorrectly handled evaluating submitted passwords. A remote attacker could possibly use this issue to consume resources, resulting in a denial of service. Dennis Brinkrolf discovered that Django incorrectly handled the dictsort template filter. A remote attacker could possibly use this issue to obtain sensitive information. Dennis Brinkrolf discovered that Django incorrectly handled certain file names. A remote attacker could possibly use this issue to save files to arbitrary filesystem locations.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2021-12-16 CVE Reserved
- 2022-01-04 CVE Published
- 2025-05-22 CVE Updated
- 2025-06-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/forum/#%21forum/django-announce | X_refsource_misc | |
| https://security.netapp.com/advisory/ntap-20220121-0005 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://docs.djangoproject.com/en/4.0/releases/security | 2023-11-07 | |
| https://www.djangoproject.com/weblog/2022/jan/04/security-releases | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 2.2 < 2.2.26 Search vendor "Djangoproject" for product "Django" and version " >= 2.2 < 2.2.26" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 3.2 < 3.2.11 Search vendor "Djangoproject" for product "Django" and version " >= 3.2 < 3.2.11" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | >= 4.0 < 4.0.1 Search vendor "Djangoproject" for product "Django" and version " >= 4.0 < 4.0.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||