Описание
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
A directory-traversal flaw was found in Django's Storage.save() method, where a network attacker could possibly traverse restricted paths using suitably crafted file names.
Отчет
In Red Hat OpenStack Platform, because the flaw's impact is lower and the impacted functionality is not directly used, no update will be provided at this time for the python-django20 package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | python-django | Affected | ||
| Red Hat Ansible Automation Platform 2 | python-django | Affected | ||
| Red Hat Ansible Tower 3 | django | Affected | ||
| Red Hat Ceph Storage 2 | calamari-server | Out of support scope | ||
| Red Hat Ceph Storage 2 | python-django | Out of support scope | ||
| Red Hat Ceph Storage 3 | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Out of support scope | ||
| Red Hat OpenStack Platform 16.1 | python-django20 | Will not fix | ||
| Red Hat OpenStack Platform 16.2 | python-django20 | Will not fix | ||
| Red Hat Satellite 6 | python3-django | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...
Уязвимость функция Storage.save() фреймворка для веб-приложений Django, позволяющая нарушителю получить доступ к конфиденциальной информации
EPSS
7.4 High
CVSS3