From 7cf7d74e8a754446eeb85cacf2fef1247e0cb6d7 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 29 Nov 2021 11:52:03 +0100 Subject: [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports. Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main. --- docs/releases/2.2.25.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/releases/2.2.25.txt b/docs/releases/2.2.25.txt index e8e552d80e..1662451a30 100644 --- a/docs/releases/2.2.25.txt +++ b/docs/releases/2.2.25.txt @@ -6,4 +6,8 @@ Django 2.2.25 release notes Django 2.2.25 fixes a security issue with severity "low" in 2.2.24. -... +CVE-2021-44420: Potential bypass of an upstream access control based on URL paths +================================================================================= + +HTTP requests for URLs with trailing newlines could bypass an upstream access +control based on URL paths. -- cgit v1.3