CVE-2021-32052

{"id": "CVE-2021-32052", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-05-06T16:15:07.520", "references": [{"url": "http://www.openwall.com/lists/oss-security/2021/05/06/1", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.djangoproject.com/en/3.2/releases/security/", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20210611-0002/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2021/05/06/1", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.djangoproject.com/en/3.2/releases/security/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20210611-0002/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.djangoproject.com/weblog/2021/may/06/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers."}, {"lang": "es", "value": "En Django 2.2 versiones anteriores a 2.2.22, 3.1 versiones anteriores a 3.1.10 y 3.2 versiones anteriores a 3.2.2 (con Python 3.9.5+), URLValidator no proh\u00edbe nuevas l\u00edneas y pesta\u00f1as (a menos que sea usado el campo URLField form). Si una aplicaci\u00f3n usa valores con nuevas l\u00edneas en una respuesta HTTP, puede ocurrir una inyecci\u00f3n de encabezado. Django en s\u00ed no est\u00e1 afectado porque HttpResponse proh\u00edbe las nuevas l\u00edneas en los encabezados HTTP"}], "lastModified": "2024-11-21T06:06:46.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED7CB1DC-4D83-4D30-8778-D3DC95D636A8", "versionEndExcluding": "2.2.22", "versionStartIncluding": "2.2"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F5F0697-2B95-41DA-BDAE-CAE64BFF11D2", "versionEndExcluding": "3.1.10", "versionStartIncluding": "3.1"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCDAA914-CAC5-4F6F-AAC7-B586115EA2EE", "versionEndExcluding": "3.2.2", "versionStartIncluding": "3.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B6A6F7D1-9BD9-46A1-81FA-3FCE1B4CCFC5", "versionStartIncluding": "3.9.5"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}