From 8d2f7cff76200cbd2337b2cf1707e383eb1fb54b Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Fri, 17 Dec 2021 21:07:50 +0100 Subject: [3.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. Thanks to Dennis Brinkrolf for the report. --- docs/releases/2.2.26.txt | 9 +++++++++ docs/releases/3.2.11.txt | 9 +++++++++ 2 files changed, 18 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 2ed9b32119..7fbdc02089 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -36,3 +36,12 @@ As a reminder, all untrusted user input should be validated before use. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` +==================================================================== + +``Storage.save()`` allowed directory-traversal if directly passed suitably +crafted file names. + +This issue has severity "low" according to the :ref:`Django security policy +`. diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt index e715ae866f..bb68e14a8e 100644 --- a/docs/releases/3.2.11.txt +++ b/docs/releases/3.2.11.txt @@ -36,3 +36,12 @@ As a reminder, all untrusted user input should be validated before use. This issue has severity "low" according to the :ref:`Django security policy `. + +CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` +==================================================================== + +``Storage.save()`` allowed directory-traversal if directly passed suitably +crafted file names. + +This issue has severity "low" according to the :ref:`Django security policy +`. -- cgit v1.3