GHSA-9jmf-237g-qf46

Suggest an improvement
Source
https://github.com/advisories/GHSA-9jmf-237g-qf46
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-9jmf-237g-qf46/GHSA-9jmf-237g-qf46.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9jmf-237g-qf46
Aliases
Published
2024-07-10T06:33:52Z
Modified
2024-07-10T21:57:36.125546Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Django Path Traversal vulnerability
Details

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0
Fixed
5.0.7

Affected versions

5.*

5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2
Fixed
4.2.14

Affected versions

4.*

4.2
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.2.11
4.2.12
4.2.13