{"id":"CVE-2021-3281","details":"In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by \"startapp --template\" and \"startproject --template\") allows directory traversal via an archive with absolute paths or relative paths with dot segments.","aliases":["BIT-django-2021-3281","GHSA-fvgf-6h6h-3322","PYSEC-2021-9"],"modified":"2026-04-10T04:33:13.433064Z","published":"2021-02-02T07:15:14.020Z","related":["SUSE-RU-2021:0351-1","SUSE-RU-2021:0497-1","SUSE-SU-2021:1963-1"],"references":[{"type":"WEB","url":"https://groups.google.com/forum/#%21forum/django-announce"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210226-0004/"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2021/feb/01/security-releases/"},{"type":"FIX","url":"https://docs.djangoproject.com/en/3.1/releases/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"fc0c8cfa492b2d7b82263e71e486f3829ad7c43a"},{"introduced":"2a04e24d2dfc8e60a66e4369d970913cb2112d91"},{"fixed":"81c99e4eb00b58e3eb33f3d5c1747b6c57e9d649"},{"introduced":"0b8a0296bfd30748f08021834e95cdae241686e8"},{"fixed":"3235a7b80710e5c90bbb1d25a147c8d0eddc8198"}],"database_specific":{"versions":[{"introduced":"2.2"},{"fixed":"2.2.18"},{"introduced":"3.0"},{"fixed":"3.0.12"},{"introduced":"3.1"},{"fixed":"3.1.6"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3281.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}