[2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem.

Thanks to Dennis Brinkrolf for the report.
author: Florian Apolloner <florian@apolloner.eu> 2021-12-17 21:07:50 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-01-04 10:20:31 +0100
commit: 4cb35b384ceef52123fc66411a73c36a706825e1 (patch)
tree: 1bd0e98713c96e81e1c93d60509c3548291b30a6 /docs/releases/2.2.26.txt
parent: c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt
index 2ed9b32119..7fbdc02089 100644
--- a/docs/releases/2.2.26.txt
+++ b/docs/releases/2.2.26.txt
@@ -36,3 +36,12 @@ As a reminder, all untrusted user input should be validated before use.
 
 This issue has severity "low" according to the :ref:`Django security policy
 <security-disclosure>`.
+
+CVE-2021-45452: Potential directory-traversal via ``Storage.save()``
+====================================================================
+
+``Storage.save()`` allowed directory-traversal if directly passed suitably
+crafted file names.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
author	Florian Apolloner <florian@apolloner.eu>	2021-12-17 21:07:50 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-01-04 10:20:31 +0100
commit	4cb35b384ceef52123fc66411a73c36a706825e1 (patch)
tree	1bd0e98713c96e81e1c93d60509c3548291b30a6 /docs/releases/2.2.26.txt
parent	c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (diff)