<p>Upgrade <code>django</code> to version 3.2.15, 4.0.7, 4.1 or higher.</p>

Reflected File Download (RFD) Affecting django package, versions [,3.2.15) [4.0a1,4.0.7) [4.1rc1,4.1)

Snyk CVSS

Attack Complexity High

Integrity High

Threat Intelligence

EPSS 0.42% (75^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-DJANGO-2968205
published 3 Aug 2022
disclosed 3 Aug 2022
credit Motoyasu Saburi

Report a new vulnerability Found a mistake?

Introduced: 3 Aug 2022

CVE-2022-36359 Open this link in a new tab CWE-494 Open this link in a new tab

How to fix?

Upgrade django to version 3.2.15, 4.0.7, 4.1 or higher.

Overview

Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

References

Django Security Release
GitHub Commit Version 3.2.x3
GitHub Commit Version 4.0.x
GitHub Commit Version 4.1.x