PYSEC-2021-439 — Vulnetix

PYSEC-2021-439 PUBLISHED

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

Affected Products

Vendor	Product	Versions
PyPI	django	2.2, 3.2, 2.2

Timeline

Dec 8, 2021 CVE Published
Dec 6, 2023 CVE Updated

References

https://docs.djangoproject.com/en/3.2/releases/security/ url
https://www.openwall.com/lists/oss-security/2021/12/07/1 url
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/ article
https://groups.google.com/forum/#!forum/django-announce url
https://github.com/advisories/GHSA-v6rh-hp5x-86rv advisory

Open in Interactive Console →