diff options
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/2.2.26.txt | 5 | ||||
| -rw-r--r-- | docs/releases/3.2.11.txt | 5 | ||||
| -rw-r--r-- | docs/releases/4.0.1.txt | 5 |
3 files changed, 15 insertions, 0 deletions
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 2ed9b32119..9a53c51e27 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on dictionaries. As a reminder, all untrusted user input should be validated before use. +CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` +==================================================================== + +``Storage.save()`` allowed directory-traversal if directly passed suitably +crafted file names. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt index e715ae866f..adff2d6d08 100644 --- a/docs/releases/3.2.11.txt +++ b/docs/releases/3.2.11.txt @@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on dictionaries. As a reminder, all untrusted user input should be validated before use. +CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` +==================================================================== + +``Storage.save()`` allowed directory-traversal if directly passed suitably +crafted file names. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. diff --git a/docs/releases/4.0.1.txt b/docs/releases/4.0.1.txt index 5335511f1e..3128d20431 100644 --- a/docs/releases/4.0.1.txt +++ b/docs/releases/4.0.1.txt @@ -33,6 +33,11 @@ resolution logic, that will not call methods, nor allow indexing on dictionaries. As a reminder, all untrusted user input should be validated before use. +CVE-2021-45452: Potential directory-traversal via ``Storage.save()`` +==================================================================== + +``Storage.save()`` allowed directory-traversal if directly passed suitably +crafted file names. This issue has severity "low" according to the :ref:`Django security policy <security-disclosure>`. |