CVE-2024-39330 — Path Traversal in Django

CWE-22 — Path Traversal10 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedJul 10

Latest updateJul 11

Description

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDdjangoproject/django4.2 — 4.2.14+1

▶PyPIdjangoproject/django5.0 — 5.0.7+1

🔴Vulnerability Details

CVEList

CVE-2024-39330: An issue was discovered in Django 5↗2024-07-10

▶

OSV

Django Path Traversal vulnerability↗2024-07-10

▶

GHSA

Django Path Traversal vulnerability↗2024-07-10

▶

OSV

CVE-2024-39330: An issue was discovered in Django 5↗2024-07-10

▶

OSV

python-django vulnerabilities↗2024-07-09

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2024-07-11

▶

Red Hat

python-django: Potential directory-traversal in django.core.files.storage.Storage.save()↗2024-07-09

▶

Ubuntu

Django vulnerabilities↗2024-07-09

▶

Debian

CVE-2024-39330: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derive...↗2024

▶