CVE-2022-36359: Download of Code Without Integrity Check

August 3, 2022 (updated November 7, 2023)

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

References

www.openwall.com/lists/oss-security/2022/08/03/1
docs.djangoproject.com/en/4.0/releases/security/
groups.google.com/g/django-announce/c/8cz--gvaJr4
nvd.nist.gov/vuln/detail/CVE-2022-36359
www.djangoproject.com/weblog/2022/aug/03/security-releases/

Detect and mitigate CVE-2022-36359 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →