oss-sec mailing list archives
Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.
From: Carlton Gibson <carlton.gibson () gmail com>
Date: Wed, 3 Aug 2022 09:54:16 +0200
See: https://www.djangoproject.com/weblog/2022/aug/03/security-releases/ In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing `Django 4.0.7 <https://docs.djangoproject.com/en/dev/releases/4.0.7/>`_, and `Django 3.2.15 <https://docs.djangoproject.com/en/dev/releases/3.2.15/>`_. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2022-36359: Potential reflected file download vulnerability in ``FileResponse`` =================================================================================== An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a ``FileResponse`` when the ``filename`` was derived from user-supplied input. The ``filename`` is now escaped to avoid this possibility. This issue has high severity, according to the Django security policy. Thanks to Motoyasu Saburi for the report. Affected supported versions =========================== * Django main branch * Django 4.1 (which will be released in a separate blog post later today) * Django 4.0 * Django 3.2 Resolution ========== Patches to resolve the issue have been applied to Django's main branch and the 4.1, 4.0, and 3.2 release branches. The patches may be obtained from the following changesets: * On the `main branch < https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173
`__
* On the `4.1 release branch < https://github.com/django/django/commit/46916665f9aa729067ef894e994854ecf9223157
`__
* On the `4.0 release branch < https://github.com/django/django/commit/b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3
`__
* On the `3.2 release branch < https://github.com/django/django/commit/b3e4494d759202a3b6bf247fd34455bf13be5b80
`__
The following releases have been issued: * Django 4.0.7 (`download Django 4.0.7 < https://www.djangoproject.com/m/releases/4.0/Django-4.0.7.tar.gz>`_ | `4.0.7 checksums < https://www.djangoproject.com/m/pgp/Django-4.0.7.checksum.txt>`_) * Django 3.2.15 (`download Django 3.2.15 < https://www.djangoproject.com/m/releases/3.2/Django-3.2.15.tar.gz>`_ | `3.2.15 checksums < https://www.djangoproject.com/m/pgp/Django-3.2.15.checksum.txt>`_) The PGP key ID used for this release is Carlton Gibson: `E17DF5C82B4F9D00 < https://github.com/carltongibson.gpg>`_. General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance or the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse. Carlton Gibson (Aug 03)