PYSEC-2021-8 — Vulnetix

PYSEC-2021-8 PUBLISHED

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

Affected Products

Vendor	Product	Versions
PyPI	django	2.2, 3.1, 3.2

Timeline

May 6, 2021 CVE Published
Dec 6, 2023 CVE Updated

References

https://docs.djangoproject.com/en/3.2/releases/security/ url
http://www.openwall.com/lists/oss-security/2021/05/06/1 url
https://groups.google.com/forum/#!forum/django-announce url
https://www.djangoproject.com/weblog/2021/may/06/security-releases/ article
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/ url
https://github.com/advisories/GHSA-qm57-vhq3-3fwf advisory

Open in Interactive Console →