diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-24 09:55:14 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-06-02 10:58:39 +0200 |
| commit | e1d787f1b36d13b95187f8f425425ae1b98da188 (patch) | |
| tree | a8bcc44d47e04d5bc4b132b5194005315d925e94 /docs/releases/2.2.24.txt | |
| parent | 46572de2e92fdeaf047f80c44d52269e54ad68db (diff) | |
Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses.
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
Diffstat (limited to 'docs/releases/2.2.24.txt')
| -rw-r--r-- | docs/releases/2.2.24.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/2.2.24.txt b/docs/releases/2.2.24.txt index 9bcf7037c4..1064fc53a0 100644 --- a/docs/releases/2.2.24.txt +++ b/docs/releases/2.2.24.txt @@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed. As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded. + +CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses +=========================================================================================================================== + +:class:`~django.core.validators.URLValidator`, +:func:`~django.core.validators.validate_ipv4_address`, and +:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading +zeros in octal literals. If you used such values you could suffer from +indeterminate SSRF, RFI, and LFI attacks. + +:func:`~django.core.validators.validate_ipv4_address` and +:func:`~django.core.validators.validate_ipv46_address` validators were not +affected on Python 3.9.5+. |