{"api_version":"1","generated_at":"2026-04-23T02:18:38+00:00","cve":"CVE-2021-32052","urls":{"html":"https://cve.report/CVE-2021-32052","api":"https://cve.report/api/cve/CVE-2021-32052.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32052","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32052"},"summary":{"title":"CVE-2021-32052","description":"In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-05-06 16:15:00","updated_at":"2023-11-07 03:35:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://groups.google.com/forum/#%21forum/django-announce","name":"https://groups.google.com/forum/#%21forum/django-announce","refsource":"","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2021/05/06/1","name":"http://www.openwall.com/lists/oss-security/2021/05/06/1","refsource":"MISC","tags":[],"title":"oss-security - Django: CVE-2021-32052: Header injection possibility since\n URLValidator accepted newlines in input on Python 3.9.5+","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/forum/#!forum/django-announce","name":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","tags":[],"title":"Redirecting to Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://docs.djangoproject.com/en/3.2/releases/security/","name":"https://docs.djangoproject.com/en/3.2/releases/security/","refsource":"MISC","tags":[],"title":"Archive of security issues | Django documentation | Django","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.djangoproject.com/weblog/2021/may/06/security-releases/","name":"https://www.djangoproject.com/weblog/2021/may/06/security-releases/","refsource":"MISC","tags":[],"title":"Django security releases issued: 3.2.2, 3.1.10, and 2.2.22 | Weblog | Django","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/","name":"FEDORA-2021-01044b8a59","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: python-django-3.1.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/","name":"FEDORA-2021-01044b8a59","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: python-django-3.1.9-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20210611-0002/","name":"https://security.netapp.com/advisory/ntap-20210611-0002/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-32052 Django Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32052","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32052","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32052","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"djangoproject","cpe5":"django","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32052","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"32052","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-32052","qid":"179879","title":"Debian Security Update for python-django (CVE-2021-32052)"},{"cve":"CVE-2021-32052","qid":"198394","title":"Ubuntu Security Notification for Django vulnerabilities (USN-4975-1)"},{"cve":"CVE-2021-32052","qid":"198736","title":"Ubuntu Security Notification for Django Vulnerabilities (USN-5373-1)"},{"cve":"CVE-2021-32052","qid":"281191","title":"Fedora Security Update for python (FEDORA-2021-01044b8a59)"},{"cve":"CVE-2021-32052","qid":"296053","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 35.94.4 Missing (CPUJUL2021)"},{"cve":"CVE-2021-32052","qid":"982278","title":"Python (pip) Security Update for Django (GHSA-qm57-vhq3-3fwf)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-32052","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://groups.google.com/forum/#!forum/django-announce","refsource":"MISC","name":"https://groups.google.com/forum/#!forum/django-announce"},{"url":"https://docs.djangoproject.com/en/3.2/releases/security/","refsource":"MISC","name":"https://docs.djangoproject.com/en/3.2/releases/security/"},{"refsource":"MISC","name":"http://www.openwall.com/lists/oss-security/2021/05/06/1","url":"http://www.openwall.com/lists/oss-security/2021/05/06/1"},{"refsource":"MISC","name":"https://www.djangoproject.com/weblog/2021/may/06/security-releases/","url":"https://www.djangoproject.com/weblog/2021/may/06/security-releases/"},{"refsource":"FEDORA","name":"FEDORA-2021-01044b8a59","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVKYPHR3TKR2ESWXBPOJEKRO2OSJRZUE/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20210611-0002/","url":"https://security.netapp.com/advisory/ntap-20210611-0002/"}]}},"nvd":{"publishedDate":"2021-05-06 16:15:00","lastModifiedDate":"2023-11-07 03:35:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"2.2","versionEndExcluding":"2.2.22","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1","versionEndExcluding":"3.1.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"3.2.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.5","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32052","Ordinal":"207396","Title":"CVE-2021-32052","CVE":"CVE-2021-32052","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32052","Ordinal":"1","NoteData":"In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32052","Ordinal":"2","NoteData":"2021-05-06","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32052","Ordinal":"3","NoteData":"2021-06-11","Type":"Other","Title":"Modified"}]}}}