CVE Vulnerability

CVE-2022-36359

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://docs.djangoproject.com/en/4.0/releases/security/ Not Applicable Patch
https://www.djangoproject.com/weblog/2022/aug/03/security-releases/ Patch Vendor Advisory
https://groups.google.com/g/django-announce/c/8cz--gvaJr4 Release Notes Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/08/03/1 Mailing List Patch
https://security.netapp.com/advisory/ntap-20220915-0008/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5254 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Information

Published : 2022-08-03 02:15

Updated : 2022-10-28 06:32

NVD link : CVE-2022-36359

Mitre link : CVE-2022-36359

Products Affected
No products.
CWE
CWE-494

Download of Code Without Integrity Check