Bugzilla – Bug 1186608
VUL-0: CVE-2021-33203: python-Django,python-Django1: Potential directory traversal via admindocs
Last modified: 2024-04-26 13:43:34 UTC
Staff members could use the :mod:`~django.contrib.admindocs` ``TemplateDetailView`` view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.
Affected packages: - openSUSE:Factory/python-Django 3.2.3
Created attachment 849776 [details] patch
Created attachment 849777 [details] patch
Created attachment 849778 [details] patch
Created attachment 849779 [details] Patch for Django 2.2.x
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/ is public CVE-2021-33203: Potential directory traversal via admindocs Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. This issue has low severity, according to the Django security policy. Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report.
SUSE-SU-2021:1963-1: An update that fixes 10 vulnerabilities, contains one feature is now available. Category: security (moderate) Bug References: 1044849,1179805,1181379,1183803,1184148,1185623,1186608,1186611 CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2019-25025,CVE-2020-29651,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-3281,CVE-2021-33203,CVE-2021-33571 JIRA References: SOC-11435 Sources used: SUSE OpenStack Cloud 7 (src): crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2, grafana-6.7.4-1.24.2, kibana-4.6.6-9.2, monasca-installer-20180608_12.47-16.2, python-Django-1.8.19-3.29.1, python-py-1.8.1-11.16.2, rubygem-activerecord-session_store-0.1.2-3.4.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1962-1: An update that fixes 23 vulnerabilities, contains two features is now available. Category: security (moderate) Bug References: 1044849,1048688,1115960,1148383,1170657,1171909,1172409,1172450,1174583,1178243,1179805,1181277,1181278,1181689,1181690,1182317,1182433,1183174,1183803,1184148,1185623,1186608,1186611 CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2018-19039,CVE-2019-15043,CVE-2019-25025,CVE-2020-10743,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-17516,CVE-2020-24303,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571 JIRA References: SOC-10357,SOC-11453 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): cassandra-3.11.10-3.3.3, crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, rubygem-activerecord-session_store-0.1.2-4.3.2 SUSE OpenStack Cloud 9 (src): ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2, ardana-swift-9.0+git.1618235096.90974ed-3.10.2, cassandra-3.11.10-3.3.3, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, venv-openstack-barbican-7.0.1~dev24-3.23.1, venv-openstack-cinder-13.0.10~dev20-3.26.1, venv-openstack-designate-7.0.2~dev2-3.23.1, venv-openstack-glance-17.0.1~dev30-3.21.1, venv-openstack-heat-11.0.4~dev4-3.23.1, venv-openstack-horizon-14.1.1~dev11-4.27.3, venv-openstack-ironic-11.1.5~dev17-4.21.2, venv-openstack-keystone-14.2.1~dev4-3.24.3, venv-openstack-magnum-7.2.1~dev1-4.23.1, venv-openstack-manila-7.4.2~dev60-3.29.1, venv-openstack-monasca-2.7.1~dev10-3.21.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.23.2, venv-openstack-neutron-13.0.8~dev164-6.27.3, venv-openstack-nova-18.3.1~dev82-3.27.3, venv-openstack-octavia-3.2.3~dev7-4.23.1, venv-openstack-sahara-9.0.2~dev15-3.23.1, venv-openstack-swift-2.19.2~dev48-2.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2554-1: An update that solves 16 vulnerabilities, contains 10 features and has 8 fixes is now available. Category: security (moderate) Bug References: 1019074,1044849,1057496,1073879,1113302,1123064,1143893,1166139,1176784,1179805,1180507,1181277,1181278,1181689,1181828,1182433,1183174,1183803,1184148,1185623,1185836,1186608,1186611,940812 CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2017-5929,CVE-2019-25025,CVE-2020-17516,CVE-2020-26247,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-21419,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571 JIRA References: ECO-3105,PM-2352,SCRD-8523,SOC-11422,SOC-11470,SOC-11471,SOC-11521,SOC-11523,SOC-11525,SOC-9876 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): cassandra-3.11.10-5.3.5, crowbar-core-5.0+git.1622489449.a8e60e238-3.50.4, crowbar-openstack-5.0+git.1616001417.67fd9c2a1-4.52.5, documentation-suse-openstack-cloud-deployment-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, rubygem-activerecord-session_store-0.1.2-3.3.2 SUSE OpenStack Cloud 8 (src): ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-suse-openstack-cloud-installation-8.20210512-1.32.5, documentation-suse-openstack-cloud-operations-8.20210512-1.32.5, documentation-suse-openstack-cloud-opsconsole-8.20210512-1.32.5, documentation-suse-openstack-cloud-planning-8.20210512-1.32.5, documentation-suse-openstack-cloud-security-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, documentation-suse-openstack-cloud-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-12.0.5~dev6-14.36.6, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3 HPE Helion Openstack 8 (src): ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-hpe-helion-openstack-installation-8.20210512-1.32.5, documentation-hpe-helion-openstack-operations-8.20210512-1.32.5, documentation-hpe-helion-openstack-opsconsole-8.20210512-1.32.5, documentation-hpe-helion-openstack-planning-8.20210512-1.32.5, documentation-hpe-helion-openstack-security-8.20210512-1.32.5, documentation-hpe-helion-openstack-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-hpe-12.0.5~dev6-14.36.3, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SOC fixes included in the last MU's. Back to security team.
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793 CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): python-Django-2.2.28-bp153.2.3.1
released