CVE-2021-3281
5.3 MEDIUMIn Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --templa...
Published: 2021-02-02 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| djangoproject | django, fedora, snapcenter |
| fedoraproject | django, fedora, snapcenter |
| netapp | django, fedora, snapcenter |
Description
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3281
- [Patch]https://docs.djangoproject.com/en/3.1/releases/security/
- [Other]https://groups.google.com/forum/#%21forum/django-announce
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- [Other]https://security.netapp.com/advisory/ntap-20210226-0004/
- [Vendor advisory]https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
- [Patch]https://docs.djangoproject.com/en/3.1/releases/security/
- [Other]https://groups.google.com/forum/#%21forum/django-announce
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YF52FKEH5S2P5CM4X7IXSYG67YY2CDOO/
- [Other]https://security.netapp.com/advisory/ntap-20210226-0004/
- [Vendor advisory]https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
Related CVEs
Same vendor
- CVE-2026-8404 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
- CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
- CVE-2026-6873 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)
- CVE-2026-48587 — An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6 (3.1 LOW)
- CVE-2026-44546 — daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)