CVE-2021-45452 Overview
CVE-2021-45452 is a directory traversal vulnerability in Django's Storage.save function that allows attackers to write files outside of intended directories when crafted filenames are directly passed to the function. This vulnerability affects Django versions 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
The flaw exists because the Storage.save method does not adequately sanitize filenames containing path traversal sequences, enabling attackers to potentially read sensitive files or write malicious content to arbitrary locations on the filesystem.
Critical Impact
Attackers can exploit this vulnerability to traverse directories and potentially access or overwrite sensitive files on servers running vulnerable Django versions, leading to information disclosure or system compromise.
Affected Products
- Django 2.2 before 2.2.26
- Django 3.2 before 3.2.11
- Django 4.0 before 4.0.1
- Fedora 35
Discovery Timeline
- January 4, 2022 - Django Project releases security patches
- January 5, 2022 - CVE-2021-45452 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-45452
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) resides in Django's file storage system, specifically within the Storage.save method. The vulnerability is exploitable over the network without requiring authentication or user interaction. When an application passes user-controlled filenames directly to Storage.save, an attacker can craft filenames containing directory traversal sequences (such as ../) to escape the intended storage directory.
The impact is primarily focused on confidentiality, as attackers may be able to read files outside the expected directory scope. In certain configurations, this could also enable writing files to sensitive locations, depending on how the application implements file storage operations.
Root Cause
The root cause of CVE-2021-45452 is insufficient input validation in Django's Storage.save function. The method fails to properly sanitize or validate filename inputs before processing them, allowing path traversal characters to be interpreted literally. This enables attackers to navigate the filesystem hierarchy by including sequences like ../ in uploaded filenames or file references.
Attack Vector
The attack vector requires the target application to directly pass user-supplied or externally-controlled filenames to the Storage.save method without proper sanitization. An attacker can exploit this by:
- Identifying an endpoint or functionality that accepts filenames and passes them to Django's storage system
- Crafting a malicious filename containing directory traversal sequences (e.g., ../../../etc/passwd)
- Submitting the crafted filename through the vulnerable application feature
- The Storage.save function processes the path traversal sequence, allowing access to files outside the intended directory
The vulnerability is accessible over the network and does not require authentication, though exploitation depends on how the application handles file storage operations. Applications that sanitize filenames before passing them to Storage.save are not affected.
Detection Methods for CVE-2021-45452
Indicators of Compromise
- Presence of directory traversal sequences (../, ..\\) in application logs related to file operations
- Unexpected file access or creation attempts outside designated storage directories
- HTTP requests containing encoded path traversal patterns (e.g., %2e%2e%2f, ..%c0%af)
- Anomalous file system activity in sensitive directories such as /etc/ or configuration folders
Detection Strategies
- Implement log monitoring to identify file operation requests containing path traversal sequences
- Deploy Web Application Firewall (WAF) rules to detect and block directory traversal patterns in request parameters
- Review Django application code for instances where user input is passed directly to Storage.save without sanitization
- Use static application security testing (SAST) tools to identify vulnerable code patterns in Django projects
Monitoring Recommendations
- Enable detailed logging for Django file storage operations and monitor for suspicious filename patterns
- Configure intrusion detection systems (IDS) to alert on directory traversal signatures in HTTP traffic
- Establish baseline file system activity and alert on deviations, particularly in storage directories
- Monitor for access attempts to sensitive files such as /etc/passwd, configuration files, or application secrets
How to Mitigate CVE-2021-45452
Immediate Actions Required
- Upgrade Django to version 2.2.26, 3.2.11, 4.0.1, or later immediately
- Audit application code to identify any locations where user-controlled filenames are passed to Storage.save
- Implement input validation to sanitize filenames before storage operations
- Review file upload functionality and ensure proper filename handling is in place
Patch Information
Django has released security patches addressing this vulnerability. Organizations should upgrade to the following versions or later:
- Django 2.2.26 for the 2.2 LTS branch
- Django 3.2.11 for the 3.2 LTS branch
- Django 4.0.1 for the 4.0 branch
Detailed information about the security release is available in the Django Weblog Security Releases announcement. The Django Security Release Notes provide additional context on this and related vulnerabilities.
Workarounds
- Implement application-level filename sanitization to strip or reject path traversal sequences before passing to Storage.save
- Use Django's get_valid_filename() utility to normalize user-supplied filenames
- Restrict file storage operations to designated directories using filesystem permissions
- Consider using UUID-based or hashed filenames instead of user-supplied names for stored files
# Upgrade Django to patched version
pip install --upgrade Django>=4.0.1
# Verify installed Django version
python -c "import django; print(django.VERSION)"
# For Django 2.2 LTS users
pip install "Django>=2.2.26,<3.0"
# For Django 3.2 LTS users
pip install "Django>=3.2.11,<4.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
