Reflected File Download Vulnerability in Django by the Django Software Foundation
CVE-2022-36359

8.8HIGH

Key Information:

Vendor: Djangoproject
Status: Django
Vendor: CVE Published:; 3 August 2022

What is CVE-2022-36359?

A reflected file download vulnerability has been identified in the HTTP FileResponse class within Django versions 3.2 prior to 3.2.15 and 4.0 prior to 4.0.7. This flaw arises from improper handling of the Content-Disposition header, which can be manipulated through user-supplied input. Successful exploitation of this vulnerability may lead to unintended file downloads, posing significant security risks for applications utilizing affected versions of Django.

References

https://docs.djangoproject.com/en/4.0/releases/security/

http://www.openwall.com/lists/oss-security/2022/08/03/1

mailing-list

https://groups.google.com/g/django-announce/c/8cz--gvaJr4

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 3, 2022
Vulnerability Reserved
Jul 21, 2022

Djangoproject

What is CVE-2022-36359?

References

CVSS V3.1

Timeline