-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper path validation in the ssi template tag handler. The patch adds os.path.abspath() to include_is_allowed, proving this function was the point of failure. The original implementation only checked if the input path started with an allowed root without resolving relative components, enabling traversal attacks. The CVE description and commit diff both directly implicate this function's path validation logic as the vulnerable component.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| django | pip | >= 1.4, < 1.4.7 | 1.4.7 |
| django | pip | >= 1.5, < 1.5.3 | 1.5.3 |
Ongoing coverage of React2Shell