CVE-2021-46897: 
Python vulnerability analysis and mitigation

CVE-2021-46897 affects Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) versions before 0.22.3. The vulnerability allows upward protected/..%2f..%2f path traversal when serving protected media, which could potentially expose sensitive files on the server. The issue was discovered and reported on September 26, 2021, and was patched in version 0.22.3 released on September 29, 2021 (NVD, FortiGuard).

The vulnerability exists in the views.py file of the CodeRed CMS, where the code accepts any URL format in the protected media URL pattern without proper validation. The issue stems from passing the path as an argument without adequate sanitization, making it susceptible to path traversal attacks. The CVSS v3.1 base score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (NVD).

The vulnerability allows authenticated users to access local files on the CodeRed CMS server through path traversal. By using encoded URL patterns such as '..%2f', attackers can potentially access sensitive system files outside the intended protected media directory (GitHub Issue).

The issue was fixed in version 0.22.3 of CodeRed CMS by implementing proper validation to prevent upward path traversals when serving protected media. Users are advised to upgrade to version 0.22.3 or later to mitigate this vulnerability (GitHub Patch).