CVE-2021-33571

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Name	Vendor	Start Version	End Version
Django	Djangoproject	2.2 (including)	2.2.24 (excluding)
Django	Djangoproject	3.0 (including)	3.1.12 (excluding)
Django	Djangoproject	3.2 (including)	3.2.4 (excluding)

https://cwe.mitre.org/data/definitions/664.html

References

https://docs.djangoproject.com/en/3.2/releases/security/
https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e
https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d
https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc
https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://security.netapp.com/advisory/ntap-20210727-0004/
https://www.djangoproject.com/weblog/2021/jun/02/security-releases/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-33571
CWE	https://cwe.mitre.org/data/definitions/918.html

Server-Side Request Forgery (SSRF)

Weakness

Affected Software

Related Attack Patterns

References