Potential bypass of an upstream access control based on URL paths in Django
Moderate severity
GitHub Reviewed
Published
Dec 9, 2021
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Package
Affected versions
>= 2.2a1, < 2.2.25
>= 3.0a1, < 3.1.14
>= 3.2a1, < 3.2.10
Patched versions
2.2.25
3.1.14
3.2.10
Description
Published by the National Vulnerability Database
Dec 8, 2021
Reviewed
Dec 9, 2021
Published to the GitHub Advisory Database
Dec 9, 2021
Last updated
Nov 18, 2024
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.
References