[3.1.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

2025-07-24 05:36:15 +00:00 · 2021-05-17 11:26:36 +02:00 · 2021-05-17 11:26:36 +02:00 · 20c67a0693
commit 20c67a0693
parent aa8781c0a6
4 changed files with 40 additions and 3 deletions
--- a/docs/releases/2.2.24.txt
+++ b/docs/releases/2.2.24.txt
@ -6,4 +6,14 @@ Django 2.2.24 release notes

 Django 2.2.24 fixes two security issues in 2.2.23.

-...
+CVE-2021-33203: Potential directory traversal via ``admindocs``
+===============================================================
+
+Staff members could use the :mod:`~django.contrib.admindocs`
+``TemplateDetailView`` view to check the existence of arbitrary files.
+Additionally, if (and only if) the default admindocs templates have been
+customized by the developers to also expose the file contents, then not only
+the existence but also the file contents would have been exposed.
+
+As a mitigation, path sanitation is now applied and only files within the
+template root directories can be loaded.
--- a/docs/releases/3.1.12.txt
+++ b/docs/releases/3.1.12.txt
@ -6,4 +6,14 @@ Django 3.1.12 release notes

 Django 3.1.12 fixes two security issues in 3.1.11.

-...
+CVE-2021-33203: Potential directory traversal via ``admindocs``
+===============================================================
+
+Staff members could use the :mod:`~django.contrib.admindocs`
+``TemplateDetailView`` view to check the existence of arbitrary files.
+Additionally, if (and only if) the default admindocs templates have been
+customized by the developers to also expose the file contents, then not only
+the existence but also the file contents would have been exposed.
+
+As a mitigation, path sanitation is now applied and only files within the
+template root directories can be loaded.