From 46572de2e92fdeaf047f80c44d52269e54ad68db Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 17 May 2021 11:26:36 +0200 Subject: Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. --- docs/releases/2.2.24.txt | 12 +++++++++++- docs/releases/3.1.12.txt | 12 +++++++++++- docs/releases/3.2.4.txt | 12 ++++++++++++ 3 files changed, 34 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/releases/2.2.24.txt b/docs/releases/2.2.24.txt index 5b71d9939f..9bcf7037c4 100644 --- a/docs/releases/2.2.24.txt +++ b/docs/releases/2.2.24.txt @@ -6,4 +6,14 @@ Django 2.2.24 release notes Django 2.2.24 fixes two security issues in 2.2.23. -... +CVE-2021-33203: Potential directory traversal via ``admindocs`` +=============================================================== + +Staff members could use the :mod:`~django.contrib.admindocs` +``TemplateDetailView`` view to check the existence of arbitrary files. +Additionally, if (and only if) the default admindocs templates have been +customized by the developers to also expose the file contents, then not only +the existence but also the file contents would have been exposed. + +As a mitigation, path sanitation is now applied and only files within the +template root directories can be loaded. diff --git a/docs/releases/3.1.12.txt b/docs/releases/3.1.12.txt index 32fd96feb5..7d8ee8447e 100644 --- a/docs/releases/3.1.12.txt +++ b/docs/releases/3.1.12.txt @@ -6,4 +6,14 @@ Django 3.1.12 release notes Django 3.1.12 fixes two security issues in 3.1.11. -... +CVE-2021-33203: Potential directory traversal via ``admindocs`` +=============================================================== + +Staff members could use the :mod:`~django.contrib.admindocs` +``TemplateDetailView`` view to check the existence of arbitrary files. +Additionally, if (and only if) the default admindocs templates have been +customized by the developers to also expose the file contents, then not only +the existence but also the file contents would have been exposed. + +As a mitigation, path sanitation is now applied and only files within the +template root directories can be loaded. diff --git a/docs/releases/3.2.4.txt b/docs/releases/3.2.4.txt index 7aab5f8134..7c1b195d00 100644 --- a/docs/releases/3.2.4.txt +++ b/docs/releases/3.2.4.txt @@ -6,6 +6,18 @@ Django 3.2.4 release notes Django 3.2.4 fixes two security issues and several bugs in 3.2.3. +CVE-2021-33203: Potential directory traversal via ``admindocs`` +=============================================================== + +Staff members could use the :mod:`~django.contrib.admindocs` +``TemplateDetailView`` view to check the existence of arbitrary files. +Additionally, if (and only if) the default admindocs templates have been +customized by the developers to also expose the file contents, then not only +the existence but also the file contents would have been exposed. + +As a mitigation, path sanitation is now applied and only files within the +template root directories can be loaded. + Bugfixes ======== -- cgit v1.3