QwikSec

Security Database

CVE

CWE

Training

CVE-2021-32052

Published: May 6, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://groups.google.com/forum/#%21forum/django-announce

x_refsource_MISC

https://docs.djangoproject.com/en/3.2/releases/security/

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2021/05/06/1

x_refsource_MISC

https://www.djangoproject.com/weblog/2021/may/06/security-releases/

x_refsource_MISC

FEDORA-2021-01044b8a59

vendor-advisory

x_refsource_FEDORA

https://security.netapp.com/advisory/ntap-20210611-0002/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2021-32052 - Security Vulnerability | QwikSec