PYSEC-2022-245

Source
https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2022-245.yaml
Aliases
Published
2022-08-03T14:15:00Z
Modified
2022-08-03T16:55:03.165433Z
Details

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

References

Affected packages

PyPI / django

django

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2
Fixed
3.2.15
Introduced
4.0
Fixed
4.0.7

Affected versions

3.*

3.2
3.2.1
3.2.10
3.2.11
3.2.12
3.2.13
3.2.14
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9

4.*

4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6