{"id":"CVE-2021-33571","details":"In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses. (validate_ipv4_address and validate_ipv46_address are unaffected with Python 3.9.5+..) .","aliases":["BIT-django-2021-33571","GHSA-p99v-5w3c-jqq9","PYSEC-2021-99"],"modified":"2026-04-16T04:32:36.138268418Z","published":"2021-06-08T18:15:08.517Z","related":["SUSE-SU-2021:1962-1","SUSE-SU-2021:1963-1","SUSE-SU-2021:2554-1","openSUSE-SU-2023:0005-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/"},{"type":"ADVISORY","url":"https://groups.google.com/g/django-announce/c/sPyjSKMi8Eo"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210727-0004/"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2021/jun/02/security-releases/"},{"type":"FIX","url":"https://docs.djangoproject.com/en/3.2/releases/security/"},{"type":"FIX","url":"https://github.com/django/django/commit/203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e"},{"type":"FIX","url":"https://github.com/django/django/commit/9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d"},{"type":"FIX","url":"https://github.com/django/django/commit/f27c38ab5d90f68c9dd60cabef248a570c0be8fc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"2da029d8540ab0b2e9edcba25c4d46c52853197f"},{"introduced":"2a04e24d2dfc8e60a66e4369d970913cb2112d91"},{"fixed":"625d3c1c643b0eb5c84339415ca0ba9f1728efa2"},{"introduced":"3591e1c1acbd7c13174275367c3fdf012cb0413b"},{"fixed":"843c34b3ab921c1acf77ee2014a97bc7975595b8"},{"fixed":"203d4ab9ebcd72fc4d6eb7398e66ed9e474e118e"},{"fixed":"9f75e2e562fa0c0482f3dde6fc7399a9070b4a3d"},{"fixed":"f27c38ab5d90f68c9dd60cabef248a570c0be8fc"}],"database_specific":{"versions":[{"introduced":"2.2"},{"fixed":"2.2.24"},{"introduced":"3.0"},{"fixed":"3.1.12"},{"introduced":"3.2"},{"fixed":"3.2.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33571.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}