CVE-2009-2659 — Path Traversal in Django

CWE-22 — Path Traversal8 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

1.4%

top 19.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Django Project Django

Timeline

PublishedAug 4

Latest updateMay 2

Description

The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django0.96.0 — 0.96.4+1

▶NVDdjango_project/django0.96, 1.0+1

Patches

Patch: www.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

Django Admin Media Handler Vulnerable to Directory Traversal↗2022-05-02

▶

GHSA

Django Admin Media Handler Vulnerable to Directory Traversal↗2022-05-02

▶

CVEList

CVE-2009-2659: The Admin media handler in core/servers/basehttp↗2009-08-04

▶

OSV

CVE-2009-2659: The Admin media handler in core/servers/basehttp↗2009-08-04

▶

📋Vendor Advisories

Red Hat

Django directory traversal flaw↗2009-07-29

▶

Debian

CVE-2009-2659: python-django - The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does ...↗2009

▶

💬Community

Bugzilla

CVE-2009-2659 Django directory traversal flaw↗2009-08-04

▶