{ "threat_severity" : "Moderate", "public_date" : "2022-01-04T00:00:00Z", "bugzilla" : { "description" : "django: Potential information disclosure in dictsort template filter", "id" : "2037025", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2037025" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-212", "details" : [ "An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.", "An information-disclosure flaw was found in Django, where the dictsort filter in Django's Template Language did not correctly validate user input. A network attacker could exploit this flaw using a suitably crafted key to force information disclosure or unintended method calls." ], "statement" : "In Red Hat OpenStack Platform, because the flaw's impact is lower and the impacted functionality is not directly used, no update will be provided at this time for the python-django20 package.", "affected_release" : [ { "product_name" : "Red Hat Satellite 6.11 for RHEL 8", "release_date" : "2022-07-05T00:00:00Z", "advisory" : "RHSA-2022:5498", "cpe" : "cpe:/a:redhat:satellite:6.11::el8", "package" : "python-django-0:3.2.13-1.el8pc" }, { "product_name" : "Red Hat Satellite 6.11 for RHEL 8", "release_date" : "2022-07-05T00:00:00Z", "advisory" : "RHSA-2022:5498", "cpe" : "cpe:/a:redhat:satellite_capsule:6.11::el8", "package" : "python-django-0:3.2.13-1.el8pc" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Tower 3", "fix_state" : "Will not fix", "package_name" : "django", "cpe" : "cpe:/a:redhat:ansible_tower:3" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "calamari-server", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "fix_state" : "Will not fix", "package_name" : "python-django20", "cpe" : "cpe:/a:redhat:openstack:16.1" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Will not fix", "package_name" : "python-django20", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "python3-django", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers", "fix_state" : "Will not fix", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:3" }, { "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers", "fix_state" : "Affected", "package_name" : "python-django", "cpe" : "cpe:/a:redhat:rhui:4::el8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-45116\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-45116\nhttps://www.djangoproject.com/weblog/2022/jan/04/security-releases/" ], "name" : "CVE-2021-45116", "csaw" : false }