CVE-2022-36359

Download of Code Without Integrity Check in pypi/Django

Identifiers

CVE-2022-36359

Package Slug

pypi/Django

Vulnerability

Download of Code Without Integrity Check

Description

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Affected Versions

All versions starting from 3.2 before 3.2.15, all versions starting from 4.0 before 4.0.7

Solution

Upgrade to versions 3.2.15, 4.0.7 or above.

Last Modified

2022-08-10

source