CVE-2022-36359
published 2022-08-03CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file…
PriorityP339high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.65%
46.6th percentile
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 3:3.2.15-1 (bookworm) | python-django 3:3.2.15-1 (bookworm) |
| djangoproject | django | >= 0 < 3.2.15 | 3.2.15 |
| djangoproject | django | >= 3.2 < 3.2.15 | 3.2.15 |
| djangoproject | django | >= 4.0 < 4.0.7 | 4.0.7 |
| djangoproject | django | >= 4.0 < 4.0.7 | 4.0.7 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
django-sendfile2 before 0.7.0 contains reflected file download vulnerability
ghsa·2022-08-11·CVSS 8.8
CVE-2022-36359 [HIGH] CWE-20 django-sendfile2 before 0.7.0 contains reflected file download vulnerability
django-sendfile2 before 0.7.0 contains reflected file download vulnerability
Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173
OSV
Django vulnerable to Reflected File Download attack
osv·2022-08-11
CVE-2022-36359 [HIGH] Django vulnerable to Reflected File Download attack
Django vulnerable to Reflected File Download attack
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
OSV
django-sendfile2 before 0.7.0 contains reflected file download vulnerability
osv·2022-08-11·CVSS 8.8
CVE-2022-36359 [HIGH] django-sendfile2 before 0.7.0 contains reflected file download vulnerability
django-sendfile2 before 0.7.0 contains reflected file download vulnerability
Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173
GHSA
Django vulnerable to Reflected File Download attack
ghsa·2022-08-11
CVE-2022-36359 [HIGH] CWE-494 Django vulnerable to Reflected File Download attack
Django vulnerable to Reflected File Download attack
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
OSV
CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3
osv·2022-08-03·CVSS 8.8
CVE-2022-36359 [HIGH] CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Ubuntu
Django vulnerability
vendor_ubuntu·2022-08-04
CVE-2022-36359 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to expose sensitive information if it received
an specially crafted input.
It was discovered that Django incorrectly handled certain FileResponse.
An attacker could possibly use this issue to expose sensitive information
or gain access over user machine.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-36359: python-django - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2....
vendor_debian·2022·CVSS 8.8
CVE-2022-36359 [HIGH] CVE-2022-36359: python-django - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2....
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Scope: local
bookworm: resolved (fixed in 3:3.2.15-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 3:3.2.15-1)
sid: resolved (fixed in 3:3.2.15-1)
trixie: resolved (fixed in 3:3.2.15-1)
No detection rules found.
No public exploits indexed.
http://www.openwall.com/lists/oss-security/2022/08/03/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/g/django-announce/c/8cz--gvaJr4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220915-0008/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/aug/03/security-releases/http://www.openwall.com/lists/oss-security/2022/08/03/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/g/django-announce/c/8cz--gvaJr4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220915-0008/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
2022-08-03
Published