CVE-2022-36359

Advisory

Django 3.2.15 and 4.0.7 include a fix for CVE-2022-36359: An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
https://www.djangoproject.com/weblog/2022/aug/03/security-releases

Affected package

Affected versions

Fixed versions

Vulnerability changelog

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. See CVE-2022-36359.


CONFIRM:https://www.djangoproject.com/weblog/2022/aug/03/security-releases/: https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
MISC:https://docs.djangoproject.com/en/4.0/releases/security/: https://docs.djangoproject.com/en/4.0/releases/security/
MISC:https://groups.google.com/g/django-announce/c/8cz--gvaJr4: https://groups.google.com/g/django-announce/c/8cz--gvaJr4
MLIST:[oss-security] 20220803 Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.: http://www.openwall.com/lists/oss-security/2022/08/03/1

Resources

• https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
• https://docs.djangoproject.com/en/4.0/releases/security/
• https://groups.google.com/g/django-announce/c/8cz--gvaJr4
• http://www.openwall.com/lists/oss-security/2022/08/03/1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36359
• https://security.netapp.com/advisory/ntap-20220915-0008/
• https://www.debian.org/security/2022/dsa-5254