===========================Django 2.2.24 release notes===========================*June 2, 2021*Django 2.2.24 fixes two security issues in 2.2.23.CVE-2021-33203: Potential directory traversal via ``admindocs``===============================================================Staff members could use the :mod:`~django.contrib.admindocs```TemplateDetailView`` view to check the existence of arbitrary files.Additionally, if (and only if) the default admindocs templates have beencustomized by the developers to also expose the file contents, then not onlythe existence but also the file contents would have been exposed.As a mitigation, path sanitation is now applied and only files within thetemplate root directories can be loaded.CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses===========================================================================================================================:class:`~django.core.validators.URLValidator`,:func:`~django.core.validators.validate_ipv4_address`, and:func:`~django.core.validators.validate_ipv46_address` didn't prohibit leadingzeros in octal literals. If you used such values you could suffer fromindeterminate SSRF, RFI, and LFI attacks.:func:`~django.core.validators.validate_ipv4_address` and:func:`~django.core.validators.validate_ipv46_address` validators were notaffected on Python 3.9.5+.