Описание
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | |
| devel | released | 3:3.2.15-1 |
| esm-infra-legacy/trusty | not-affected | |
| esm-infra/bionic | not-affected | |
| esm-infra/focal | released | 2:2.2.12-1ubuntu0.13 |
| esm-infra/xenial | not-affected | |
| focal | released | 2:2.2.12-1ubuntu0.13 |
| jammy | released | 2:3.2.12-2ubuntu1.2 |
| kinetic | released | 3:3.2.15-1 |
| trusty | ignored | end of standard support |
Показывать по
8.8 High
CVSS3
Связанные уязвимости
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
An issue was discovered in the HTTP FileResponse class in Django 3.2 b ...
Django vulnerable to Reflected File Download attack
Уязвимость программной платформы для веб-приложений Django, связанная с загрузкой кода без проверки его целостности, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
8.8 High
CVSS3