Path to dependency file: /wagtail/wagtail/project_template/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_6a8a4d3e-1a25-411e-895f-d18400c71569/20190823195740_81768/20190823195722_depth_0/1/Django-2.2.4.tar/Django-2.2.4
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
CVE-2021-28658 - Medium Severity Vulnerability
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/19/11/3449a2071df9427e7a5c4dddee2462e88840dd968a9b0c161097154fcb0c/Django-2.2.4.tar.gz
Path to dependency file: /wagtail/wagtail/project_template/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_6a8a4d3e-1a25-411e-895f-d18400c71569/20190823195740_81768/20190823195722_depth_0/1/Django-2.2.4.tar/Django-2.2.4
Dependency Hierarchy: - :x: **Django-2.2.4.tar.gz** (Vulnerable Library)
Found in base branch: master
In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.
Publish Date: 2021-04-06
URL: CVE-2021-28658
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28658
Release Date: 2021-04-06
Fix Resolution: django-2.2.20, 3.0.14, 3.1.8, 3.2
Step up your Open Source Security Game with Mend here