Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2021-28658

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Related bugs and status

CVE-2021-28658 (Candidate) is related to these bugs:

Bug #1946890: Merge python-django from Debian unstable for 22.04

Summary				In	Importance	Status
	1946890	Merge python-django from Debian unstable for 22.04		python-django (Ubuntu)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://www.djangoproj...
MISC: https://docs.djangopro...
MISC: https://groups.google....
MLIST: [debian-lts-announce] ...
FEDORA: FEDORA-2021-01044b8a59
CONFIRM: https://security.netap...