summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-05-25 11:55:06 +0200
committerCarlton Gibson <carlton.gibson@noumenal.es>2021-06-02 10:26:22 +0200
commit053cc9534d174dc89daba36724ed2dcb36755b90 (patch)
tree5e2ee37b34f60856b7b4a14c023315a3d5b46997 /docs
parent6229d8794ff7d3f471e29811857d72e67f24b608 (diff)
[2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/2.2.24.txt12
1 files changed, 11 insertions, 1 deletions
diff --git a/docs/releases/2.2.24.txt b/docs/releases/2.2.24.txt
index 5b71d9939f..9bcf7037c4 100644
--- a/docs/releases/2.2.24.txt
+++ b/docs/releases/2.2.24.txt
@@ -6,4 +6,14 @@ Django 2.2.24 release notes
Django 2.2.24 fixes two security issues in 2.2.23.
-...
+CVE-2021-33203: Potential directory traversal via ``admindocs``
+===============================================================
+
+Staff members could use the :mod:`~django.contrib.admindocs`
+``TemplateDetailView`` view to check the existence of arbitrary files.
+Additionally, if (and only if) the default admindocs templates have been
+customized by the developers to also expose the file contents, then not only
+the existence but also the file contents would have been exposed.
+
+As a mitigation, path sanitation is now applied and only files within the
+template root directories can be loaded.