4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-33203

GHSA ID

GHSA-68w8-qjq3-2gfm

EPSS Score

0.53016%

CWE

CWE-22

Published

6/10/2021

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-33203

CVE-2021-33203: Path Traversal in Django

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.

(GitHub Advisory)

4.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-33203

GHSA ID

GHSA-68w8-qjq3-2gfm

EPSS Score

0.53016%

CWE

CWE-22

Published

6/10/2021

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django	pip	< 2.2.24	2.2.24
Django	pip	>= 3.0, < 3.1.12	3.1.12
Django	pip	>= 3.2, < 3.2.4	3.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper path handling in TemplateDetailView's context data generation. The commit diff shows the vulnerable path concatenation was replaced with safe_join, which prevents directory traversal. The CVE description explicitly mentions TemplateDetailView as the entry point, and the patch adds path sanitation to this specific code section.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*j*n*o ***or* *.*.**, *.x ***or* *.*.**, *n* *.*.x ***or* *.*.* **s * pot*nti*l *ir**tory tr*v*rs*l vi* *j*n*o.*ontri*.**min*o*s. St*** m*m**rs *oul* us* t** T*mpl*t***t*ilVi*w vi*w to ****k t** *xist*n** o* *r*itr*ry *il*s. ***ition*lly, i* (*n* onl

Reasoning

T** vuln*r**ility st*mm** *rom improp*r p*t* **n*lin* in T*mpl*t***t*ilVi*w's *ont*xt **t* **n*r*tion. T** *ommit *i** s*ows t** vuln*r**l* p*t* *on**t*n*tion w*s r*pl**** wit* `s***_join`, w*i** pr*v*nts *ir**tory tr*v*rs*l. T** *V* **s*ription *xpl

4.9

Basic Information

Concerned about an active attack path?

CVE-2021-33203: Path Traversal in Django

4.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI