CVE-2021-45116

An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.

Published: Jan 5, 2022
Updated: Aug 9, 2023
CVE: CVE-2021-45116
GHSA: GHSA-8c5j-9r9f-c6w8
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-20
CWE-668

Affected Software
References

Software	From	Fixed in
djangoproject / django	2.2	2.2.26
djangoproject / django	3.2	3.2.11
djangoproject / django	4.0	4.0.1
fedoraproject / fedora	35	35.x
Django	2.2.0	2.2.26
Django	3.2.0	3.2.11
Django	4.0.0	4.0.1

https://docs.djangoproject.com/en/4.0/releases/security/
https://github.com/django/django/commit/2a8ec7f546d6d5806e221ec948c5146b55bd7489
https://github.com/django/django/commit/c7fe895bca06daf12cc1670b56eaf72a1ef27a16
https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a
https://groups.google.com/forum/#!forum/django-announce
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV/
https://security.netapp.com/advisory/ntap-20220121-0005/
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/

Vulnerability Database

289,599

CVE-2021-45116