Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-24584

Опубликовано: 01 сент. 2020
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

A flaw was found in django. The intermediate-level directories of the file system cache had the system's standard umask rather than 0o077 (no group or others permissions). The highest threat from this vulnerability is to data confidentiality.

Отчет

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

  • Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
  • Red Hat Ceph Storage 2 and 3 uses Python 2.X
  • Red Hat Gluster Storage 3 uses Python 2.X

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2python-djangoOut of support scope
Red Hat Ceph Storage 3python-djangoOut of support scope
Red Hat OpenStack Platform 10 (Newton)python-djangoOut of support scope
Red Hat OpenStack Platform 13 (Queens)python-djangoOut of support scope
Red Hat OpenStack Platform 15 (Stein)python-djangoOut of support scope
Red Hat OpenStack Platform 16 (Train)python-djangoOut of support scope
Red Hat Satellite 6python-djangoNot affected
Red Hat Storage 3python-djangoOut of support scope
Red Hat Update Infrastructure 3 for Cloud Providerspython-djangoNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-276
https://bugzilla.redhat.com/show_bug.cgi?id=1874492django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+

EPSS

Процентиль: 81%
0.01608
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-24584

CVSS3: 7.5
ubuntu
почти 5 лет назад

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

nvd логотип

CVE-2020-24584

CVSS3: 7.5
nvd
почти 5 лет назад

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

debian логотип

CVE-2020-24584

CVSS3: 7.5
debian
почти 5 лет назад

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...

github логотип

GHSA-fr28-569j-53c4

CVSS3: 7.5
github
больше 4 лет назад

Django Incorrect Default Permissions

fstec логотип

BDU:2021-00881

CVSS3: 7.5
fstec
почти 5 лет назад

Уязвимость программной платформы для веб-приложений Django, связанная с связана с неправильными настройками прав доступа по умолчанию, позволяющая нарушителю раскрыть защищаемую информацию

EPSS

Процентиль: 81%
0.01608
Низкий

7.5 High

CVSS3