CVE-2021-3281

moderate-risk
Published 2021-02-02

In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

Do I need to act?

!
36.2% chance of exploitation in next 30 days
EPSS score — higher than 64% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Fedoraproject Netapp Djangoproject

References (10)

Patch https://docs.djangoproject.com/en/3.1/releases/security/
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://security.netapp.com/advisory/ntap-20210226-0004/
Vendor Advisory https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
Patch https://docs.djangoproject.com/en/3.1/releases/security/
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://security.netapp.com/advisory/ntap-20210226-0004/
Vendor Advisory https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
46
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 16/34 · Moderate
Exposure 9/34 · Low