cbcvebase.
CVE-2022-36359
published 2022-08-03

CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file…

PriorityP339high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.65%
46.6th percentile
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpython-django< python-django 3:3.2.15-1 (bookworm)python-django 3:3.2.15-1 (bookworm)
djangoprojectdjango>= 0 < 3.2.153.2.15
djangoprojectdjango>= 3.2 < 3.2.153.2.15
djangoprojectdjango>= 4.0 < 4.0.74.0.7
djangoprojectdjango>= 4.0 < 4.0.74.0.7

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.