In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. This issue has low severity, according to the Django security policy.

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-44420
• https://groups.google.com/forum/#!forum/django-announce
• https://www.openwall.com/lists/oss-security/2021/12/07/1
• django/django@d4dcd5b
• https://docs.djangoproject.com/en/3.2/releases/security
• GHSA-v6rh-hp5x-86rv
• https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2021-439.yaml
• https://lists.fedoraproject.org/archives/list/[email protected]/message/B4SQG2EAF4WCI2SLRL6XRDJ3RPK3ZRDV
• https://security.netapp.com/advisory/ntap-20211229-0006
• https://www.djangoproject.com/weblog/2021/dec/07/security-releases