CVE-2021-32052: 
Django vulnerability analysis and mitigation

CVE-2021-32052 affects Django versions 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 when used with Python 3.9.5+. The vulnerability was discovered and disclosed on May 6, 2021, and involves the URLValidator component not properly prohibiting newlines and tabs in input validation (Django Security).

The vulnerability exists in Django's URLValidator component which failed to prohibit newlines and tabs in input validation when running on Python 3.9.5 or higher. This issue was introduced by the bpo-43882 fix. The vulnerability has been assigned a CVSS score of 6.1 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NetApp Advisory).

If an application uses values with newlines in HTTP responses, it could be vulnerable to header injection attacks. However, Django's core functionality remains unaffected as HttpResponse prohibits newlines in HTTP headers. Additionally, the URLField form field silently removes newlines and tabs on Python 3.9.5+, limiting the vulnerability to cases where the validator is used outside of form fields (Django Security).

The issue has been fixed in Django versions 3.2.2, 3.1.10, and 2.2.22. Users are encouraged to upgrade to these patched versions as soon as possible. The fixes have been applied to Django's main branch and the respective release branches (Django Security).