summaryrefslogtreecommitdiff
path: root/docs/releases/3.2.4.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/3.2.4.txt')
-rw-r--r--docs/releases/3.2.4.txt13
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/3.2.4.txt b/docs/releases/3.2.4.txt
index 7c1b195d00..496ea6ec3f 100644
--- a/docs/releases/3.2.4.txt
+++ b/docs/releases/3.2.4.txt
@@ -18,6 +18,19 @@ the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
+CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses
+===========================================================================================================================
+
+:class:`~django.core.validators.URLValidator`,
+:func:`~django.core.validators.validate_ipv4_address`, and
+:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leading
+zeros in octal literals. If you used such values you could suffer from
+indeterminate SSRF, RFI, and LFI attacks.
+
+:func:`~django.core.validators.validate_ipv4_address` and
+:func:`~django.core.validators.validate_ipv46_address` validators were not
+affected on Python 3.9.5+.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 21:30:49 +0000