Reflected File Download (RFD) Affecting django package, versions [,3.2.15) [4.0a1,4.0.7) [4.1rc1,4.1)
Snyk CVSS
Attack Complexity
High
Integrity
High
Threat Intelligence
EPSS
0.42% (75th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-2968205
- published 3 Aug 2022
- disclosed 3 Aug 2022
- credit Motoyasu Saburi
Introduced: 3 Aug 2022
CVE-2022-36359 Open this link in a new tabHow to fix?
Upgrade django
to version 3.2.15, 4.0.7, 4.1 or higher.
Overview
Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition
header of a FileResponse
when the filename
is derived from user-supplied input.