{ "threat_severity" : "Moderate", "public_date" : "2021-02-01T10:00:00Z", "bugzilla" : { "description" : "django: Potential directory-traversal via archive.extract()", "id" : "1919969", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1919969" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments.", "A flaw was found in django where the`django.utils.archive.extract()` function, used by `startapp --template` and `startproject --template`, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments." ], "statement" : "The following products ship affected version of python-django, however the vulnerable function archive.extract() is currently not used in any part of the product and hence this issue has been rated as having a security impact of Low:\n* Red Hat Gluster Storage 3\n* Red Hat Update Infrastructure 3\nBecause the flaw's impact is lower and Red Hat OpenStack Platform 13 will be retiring soon, no update will be provided at this time for the RHOSP13 python-django package.", "affected_release" : [ { "product_name" : "Red Hat Ansible Tower 3.8 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0780", "cpe" : "cpe:/a:redhat:ansible_automation_platform:3.8::el7", "package" : "ansible-tower-38/ansible-runner-rhel7:1.4.7-1" }, { "product_name" : "Red Hat Ansible Tower 3.8 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0780", "cpe" : "cpe:/a:redhat:ansible_automation_platform:3.8::el7", "package" : "ansible-tower-38/ansible-tower-rhel7:3.8.2-1" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "automation-hub-0:4.2.2-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python3-django-0:2.2.18-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python-bleach-0:3.3.0-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python-bleach-allowlist-0:1.0.3-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python-galaxy-importer-0:0.2.15-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python-galaxy-ng-0:4.2.2-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 7", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el7", "package" : "python-pulp-ansible-1:0.5.6-1.el7pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "automation-hub-0:4.2.2-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python3-django-0:2.2.18-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python-bleach-0:3.3.0-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python-bleach-allowlist-0:1.0.3-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python-galaxy-importer-0:0.2.15-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python-galaxy-ng-0:4.2.2-1.el8pc" }, { "product_name" : "Red Hat Automation Hub 4.2 for RHEL 8", "release_date" : "2021-03-09T00:00:00Z", "advisory" : "RHSA-2021:0781", "cpe" : "cpe:/a:redhat:ansible_automation_platform:4.2::el8", "package" : "python-pulp-ansible-1:0.5.6-1.el8pc" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "release_date" : "2021-12-09T00:00:00Z", "advisory" : "RHSA-2021:5070", "cpe" : "cpe:/a:redhat:openstack:16.1::el8", "package" : "python-django20-0:2.0.13-16.el8ost.1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2021-09-15T00:00:00Z", "advisory" : "RHSA-2021:3490", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "python-django20-0:2.0.13-16.el8ost.1" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Affected", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Tower 3", "fix_state" : "Not affected", "package_name" : "django", "cpe" : "cpe:/a:redhat:ansible_tower:3" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:storage:3", "impact" : "low" }, { "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers", "fix_state" : "Fix deferred", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:3", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3281\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3281" ], "name" : "CVE-2021-3281", "csaw" : false }