CVE-2022-36359

Django vulnerable to Reflected File Download attack

Description

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

8.7

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Versions

django < 3.2.15; django >= 4.0 < 4.0.7

Severity

High

Ecosystem

Python

Publish Date

August 11, 2022

Modified Date

January 14, 2025