Vulnerability Details CVE-2021-32052
In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.015
EPSS Ranking 80.7%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://www.openwall.com/lists/oss-security/2021/05/06/1
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
- https://security.netapp.com/advisory/ntap-20210611-0002/
- https://www.djangoproject.com/weblog/2021/may/06/security-releases/
- http://www.openwall.com/lists/oss-security/2021/05/06/1
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/
- https://security.netapp.com/advisory/ntap-20210611-0002/
- https://www.djangoproject.com/weblog/2021/may/06/security-releases/
Products affected by CVE-2021-32052
-
cpe:2.3:a:djangoproject:django:2.2
-
cpe:2.3:a:djangoproject:django:2.2.1
-
cpe:2.3:a:djangoproject:django:2.2.10
-
cpe:2.3:a:djangoproject:django:2.2.11
-
cpe:2.3:a:djangoproject:django:2.2.13
-
cpe:2.3:a:djangoproject:django:2.2.14
-
cpe:2.3:a:djangoproject:django:2.2.15
-
cpe:2.3:a:djangoproject:django:2.2.16
-
cpe:2.3:a:djangoproject:django:2.2.17
-
cpe:2.3:a:djangoproject:django:2.2.18
-
cpe:2.3:a:djangoproject:django:2.2.19
-
cpe:2.3:a:djangoproject:django:2.2.2
-
cpe:2.3:a:djangoproject:django:2.2.20
-
cpe:2.3:a:djangoproject:django:2.2.21
-
cpe:2.3:a:djangoproject:django:2.2.3
-
cpe:2.3:a:djangoproject:django:2.2.4
-
cpe:2.3:a:djangoproject:django:2.2.5
-
cpe:2.3:a:djangoproject:django:2.2.6
-
cpe:2.3:a:djangoproject:django:2.2.7
-
cpe:2.3:a:djangoproject:django:2.2.8
-
cpe:2.3:a:djangoproject:django:2.2.9
-
cpe:2.3:a:djangoproject:django:3.1
-
cpe:2.3:a:djangoproject:django:3.1.1
-
cpe:2.3:a:djangoproject:django:3.1.2
-
cpe:2.3:a:djangoproject:django:3.1.3
-
cpe:2.3:a:djangoproject:django:3.1.4
-
cpe:2.3:a:djangoproject:django:3.1.5
-
cpe:2.3:a:djangoproject:django:3.1.6
-
cpe:2.3:a:djangoproject:django:3.1.7
-
cpe:2.3:a:djangoproject:django:3.1.8
-
cpe:2.3:a:djangoproject:django:3.1.9
-
cpe:2.3:a:djangoproject:django:3.2
-
cpe:2.3:a:djangoproject:django:3.2.1
-
cpe:2.3:a:python:python:3.10
-
cpe:2.3:a:python:python:3.10.0
-
cpe:2.3:a:python:python:3.10.1
-
cpe:2.3:a:python:python:3.10.10
-
cpe:2.3:a:python:python:3.10.11
-
cpe:2.3:a:python:python:3.10.12
-
cpe:2.3:a:python:python:3.10.13
-
cpe:2.3:a:python:python:3.10.14
-
cpe:2.3:a:python:python:3.10.15
-
cpe:2.3:a:python:python:3.10.16
-
cpe:2.3:a:python:python:3.10.17
-
cpe:2.3:a:python:python:3.10.18
-
cpe:2.3:a:python:python:3.10.19
-
cpe:2.3:a:python:python:3.10.2
-
cpe:2.3:a:python:python:3.10.3
-
cpe:2.3:a:python:python:3.10.4
-
cpe:2.3:a:python:python:3.10.5
-
cpe:2.3:a:python:python:3.10.6
-
cpe:2.3:a:python:python:3.10.7
-
cpe:2.3:a:python:python:3.10.8
-
cpe:2.3:a:python:python:3.10.9
-
cpe:2.3:a:python:python:3.11
-
cpe:2.3:a:python:python:3.11.0
-
cpe:2.3:a:python:python:3.11.1
-
cpe:2.3:a:python:python:3.11.10
-
cpe:2.3:a:python:python:3.11.11
-
cpe:2.3:a:python:python:3.11.12
-
cpe:2.3:a:python:python:3.11.13
-
cpe:2.3:a:python:python:3.11.14
-
cpe:2.3:a:python:python:3.11.2
-
cpe:2.3:a:python:python:3.11.3
-
cpe:2.3:a:python:python:3.11.4
-
cpe:2.3:a:python:python:3.11.5
-
cpe:2.3:a:python:python:3.11.6
-
cpe:2.3:a:python:python:3.11.7
-
cpe:2.3:a:python:python:3.11.8
-
cpe:2.3:a:python:python:3.11.9
-
cpe:2.3:a:python:python:3.12
-
cpe:2.3:a:python:python:3.12.0
-
cpe:2.3:a:python:python:3.12.1
-
cpe:2.3:a:python:python:3.12.10
-
cpe:2.3:a:python:python:3.12.11
-
cpe:2.3:a:python:python:3.12.12
-
cpe:2.3:a:python:python:3.12.2
-
cpe:2.3:a:python:python:3.12.3
-
cpe:2.3:a:python:python:3.12.4
-
cpe:2.3:a:python:python:3.12.5
-
cpe:2.3:a:python:python:3.12.6
-
cpe:2.3:a:python:python:3.12.7
-
cpe:2.3:a:python:python:3.12.8
-
cpe:2.3:a:python:python:3.12.9
-
cpe:2.3:a:python:python:3.13.0
-
cpe:2.3:a:python:python:3.13.1
-
cpe:2.3:a:python:python:3.13.10
-
cpe:2.3:a:python:python:3.13.11
-
cpe:2.3:a:python:python:3.13.2
-
cpe:2.3:a:python:python:3.13.3
-
cpe:2.3:a:python:python:3.13.4
-
cpe:2.3:a:python:python:3.13.5
-
cpe:2.3:a:python:python:3.13.6
-
cpe:2.3:a:python:python:3.13.7
-
cpe:2.3:a:python:python:3.13.8
-
cpe:2.3:a:python:python:3.13.9
-
cpe:2.3:a:python:python:3.14.0
-
cpe:2.3:a:python:python:3.14.1
-
cpe:2.3:a:python:python:3.14.2
-
cpe:2.3:a:python:python:3.15.0
-
cpe:2.3:a:python:python:3.9.10
-
cpe:2.3:a:python:python:3.9.11
-
cpe:2.3:a:python:python:3.9.12
-
cpe:2.3:a:python:python:3.9.13
-
cpe:2.3:a:python:python:3.9.14
-
cpe:2.3:a:python:python:3.9.15
-
cpe:2.3:a:python:python:3.9.16
-
cpe:2.3:a:python:python:3.9.17
-
cpe:2.3:a:python:python:3.9.18
-
cpe:2.3:a:python:python:3.9.19
-
cpe:2.3:a:python:python:3.9.20
-
cpe:2.3:a:python:python:3.9.5
-
cpe:2.3:a:python:python:3.9.6
-
cpe:2.3:a:python:python:3.9.7
-
cpe:2.3:a:python:python:3.9.8
-
cpe:2.3:a:python:python:3.9.9
-
cpe:2.3:o:fedoraproject:fedora:34