Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

author: Florian Apolloner <florian@apolloner.eu> 2021-05-17 11:26:36 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2021-06-02 10:58:39 +0200
commit: 46572de2e92fdeaf047f80c44d52269e54ad68db (patch)
tree: ccda1f219cc9544c506dfd25567f00fd9625da18 /docs/releases/3.2.4.txt
parent: f66ae7a2d5558fe88ddfe639a610573872be6628 (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/3.2.4.txt b/docs/releases/3.2.4.txt
index 7aab5f8134..7c1b195d00 100644
--- a/docs/releases/3.2.4.txt
+++ b/docs/releases/3.2.4.txt
@@ -6,6 +6,18 @@ Django 3.2.4 release notes
 
 Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
 
+CVE-2021-33203: Potential directory traversal via ``admindocs``
+===============================================================
+
+Staff members could use the :mod:`~django.contrib.admindocs`
+``TemplateDetailView`` view to check the existence of arbitrary files.
+Additionally, if (and only if) the default admindocs templates have been
+customized by the developers to also expose the file contents, then not only
+the existence but also the file contents would have been exposed.
+
+As a mitigation, path sanitation is now applied and only files within the
+template root directories can be loaded.
+
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2021-05-17 11:26:36 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2021-06-02 10:58:39 +0200
commit	46572de2e92fdeaf047f80c44d52269e54ad68db (patch)
tree	ccda1f219cc9544c506dfd25567f00fd9625da18 /docs/releases/3.2.4.txt
parent	f66ae7a2d5558fe88ddfe639a610573872be6628 (diff)