Miggo Logo

CVE-2021-33203: Path Traversal in Django

4.9

CVSS Score
3.1

Basic Information

EPSS Score
0.53016%
Published
6/10/2021
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip< 2.2.242.2.24
Djangopip>= 3.0, < 3.1.123.1.12
Djangopip>= 3.2, < 3.2.43.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper path handling in TemplateDetailView's context data generation. The commit diff shows the vulnerable path concatenation was replaced with safe_join, which prevents directory traversal. The CVE description explicitly mentions TemplateDetailView as the entry point, and the patch adds path sanitation to this specific code section.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*j*n*o ***or* *.*.**, *.x ***or* *.*.**, *n* *.*.x ***or* *.*.* **s * pot*nti*l *ir**tory tr*v*rs*l vi* *j*n*o.*ontri*.**min*o*s. St*** m*m**rs *oul* us* t** T*mpl*t***t*ilVi*w vi*w to ****k t** *xist*n** o* *r*itr*ry *il*s. ***ition*lly, i* (*n* onl

Reasoning

T** vuln*r**ility st*mm** *rom improp*r p*t* **n*lin* in T*mpl*t***t*ilVi*w's *ont*xt **t* **n*r*tion. T** *ommit *i** s*ows t** vuln*r**l* p*t* *on**t*n*tion w*s r*pl**** wit* `s***_join`, w*i** pr*v*nts *ir**tory tr*v*rs*l. T** *V* **s*ription *xpl