CVE-2009-2659
published 2009-08-04CVE-2009-2659: The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows…
PriorityP429medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
2.27%
80.8th percentile
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.1-1 (bookworm) | python-django 1.1-1 (bookworm) |
| django_project | django | — | — |
| django_project | django | — | — |
| djangoproject | django | >= 0.96.0 < 0.96.4 | 0.96.4 |
| djangoproject | django | >= 1.0 < 1.0.3 | 1.0.3 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Django directory traversal flaw
vendor_redhat·2009-07-29·CVSS 5.0
CVE-2009-2659 [MEDIUM] Django directory traversal flaw
Django directory traversal flaw
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
Debian
CVE-2009-2659: python-django - The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does ...
vendor_debian·2009·CVSS 5.0
CVE-2009-2659 [MEDIUM] CVE-2009-2659: python-django - The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does ...
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
Scope: local
bookworm: resolved (fixed in 1.1-1)
bullseye: resolved (fixed in 1.1-1)
forky: resolved (fixed in 1.1-1)
sid: resolved (fixed in 1.1-1)
trixie: resolved (fixed in 1.1-1)
OSV
Django Admin Media Handler Vulnerable to Directory Traversal
osv·2022-05-02
CVE-2009-2659 [HIGH] Django Admin Media Handler Vulnerable to Directory Traversal
Django Admin Media Handler Vulnerable to Directory Traversal
The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
GHSA
Django Admin Media Handler Vulnerable to Directory Traversal
ghsa·2022-05-02
CVE-2009-2659 [HIGH] CWE-22 Django Admin Media Handler Vulnerable to Directory Traversal
Django Admin Media Handler Vulnerable to Directory Traversal
The Admin media handler in `core/servers/basehttp.py` in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
OSV
CVE-2009-2659: The Admin media handler in core/servers/basehttp
osv·2009-08-04·CVSS 5.0
CVE-2009-2659 [MEDIUM] CVE-2009-2659: The Admin media handler in core/servers/basehttp
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
No detection rules found.
No public exploits indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134http://code.djangoproject.com/changeset/11353http://secunia.com/advisories/36137http://secunia.com/advisories/36153http://www.djangoproject.com/weblog/2009/jul/28/security/http://www.openwall.com/lists/oss-security/2009/07/29/2http://www.securityfocus.com/bid/35859https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00055.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00069.htmlhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539134http://code.djangoproject.com/changeset/11353http://secunia.com/advisories/36137http://secunia.com/advisories/36153http://www.djangoproject.com/weblog/2009/jul/28/security/http://www.openwall.com/lists/oss-security/2009/07/29/2http://www.securityfocus.com/bid/35859https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00055.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00069.html
2009-08-04
Published