{"id":"CVE-2021-28658","details":"In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.","aliases":["BIT-django-2021-28658","GHSA-xgxc-v2qg-chmh","PYSEC-2021-6"],"modified":"2026-04-16T04:31:38.564249458Z","published":"2021-04-06T15:15:13.437Z","related":["SUSE-SU-2021:1962-1","SUSE-SU-2021:1963-1","SUSE-SU-2021:2554-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/3.1/releases/security/"},{"type":"ADVISORY","url":"https://groups.google.com/g/django-announce/c/ePr5j-ngdPU"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/04/msg00008.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210528-0001/"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2021/apr/06/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"ad9fa56a17bf9691615e9bb6e41d08d51cfe8a5d"},{"introduced":"2a04e24d2dfc8e60a66e4369d970913cb2112d91"},{"fixed":"f52800243545af658c27f83623b5fc72ae6b8dcf"},{"introduced":"0b8a0296bfd30748f08021834e95cdae241686e8"},{"fixed":"c4928c9115104d3d88a0ccb57e030f0b5f445ed8"}],"database_specific":{"versions":[{"introduced":"2.2"},{"fixed":"2.2.20"},{"introduced":"3.0"},{"fixed":"3.0.14"},{"introduced":"3.1"},{"fixed":"3.1.8"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-28658.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}