Reflected File Download Vulnerability in Django by the Django Software Foundation
CVE-2022-36359

8.8HIGH

Key Information:

Vendor: Djangoproject
Status: Django
Vendor: CVE Published:; 3 August 2022

🔔 Create Djangoproject Vulnerability Alert

What is CVE-2022-36359?

A reflected file download vulnerability has been identified in the HTTP FileResponse class within Django versions 3.2 prior to 3.2.15 and 4.0 prior to 4.0.7. This flaw arises from improper handling of the Content-Disposition header, which can be manipulated through user-supplied input. Successful exploitation of this vulnerability may lead to unintended file downloads, posing significant security risks for applications utilizing affected versions of Django.

References

https://docs.djangoproject.com/en/4.0/releases/security/

http://www.openwall.com/lists/oss-security/2022/08/03/1

mailing-list

https://groups.google.com/g/django-announce/c/8cz--gvaJr4

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 3, 2022
Vulnerability Reserved
Jul 21, 2022