GHSA-jrh2-hc4r-7jwx

Suggest an improvement
Source
https://github.com/advisories/GHSA-jrh2-hc4r-7jwx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-jrh2-hc4r-7jwx/GHSA-jrh2-hc4r-7jwx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jrh2-hc4r-7jwx
Aliases
Published
2022-01-12T19:21:04Z
Modified
2024-09-20T12:22:39.100820Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Directory-traversal in Django
Details

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.26

Affected versions

2.*

2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
2.2.22
2.2.23
2.2.24
2.2.25

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2
Fixed
3.2.11

Affected versions

3.*

3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.2.10

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0
Fixed
4.0.1

Affected versions

4.*

4.0