summaryrefslogtreecommitdiff
path: root/docs/releases/3.1.12.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/3.1.12.txt')
-rw-r--r--docs/releases/3.1.12.txt13
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/3.1.12.txt b/docs/releases/3.1.12.txt
index 7d8ee8447e..0700f40849 100644
--- a/docs/releases/3.1.12.txt
+++ b/docs/releases/3.1.12.txt
@@ -17,3 +17,16 @@ the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
+
+CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
+===========================================================================================================================
+
+:class:`~django.core.validators.URLValidator`,
+:func:`~django.core.validators.validate_ipv4_address`, and
+:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
+zeros in octal literals. If you used such values you could suffer from
+indeterminate SSRF, RFI, and LFI attacks.
+
+:func:`~django.core.validators.validate_ipv4_address` and
+:func:`~django.core.validators.validate_ipv46_address` validators were not
+affected on Python 3.9.5+.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:21:56 +0000