Lucene search

K

Veracode Vulnerability DatabaseVERACODE:36601

HistoryAug 04, 2022 - 6:24 a.m.

Information Disclosure

2022-08-0406:24:41

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

15

information disclosure

django

response.py

content-disposition

vulnerability

file system access

EPSS

0.004

Percentile

74.3%

django is vulnerable to information disclosure. The vulnerability exits in set_headers function in response.py because the user input for filename in Content-Disposition header is not escaped which allows an attacker to download and gain access to information in the file system.

References

www.openwall.com/lists/oss-security/2022/08/03/1

bugzilla.suse.com/show_bug.cgi?id=CVE-2022-36359

docs.djangoproject.com/en/4.0/releases/security/

github.com/django/django/commit/46916665f9aa729067ef894e994854ecf9223157

github.com/django/django/commit/b3e4494d759202a3b6bf247fd34455bf13be5b80

github.com/django/django/commit/b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3

groups.google.com/g/django-announce/c/8cz--gvaJr4

lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/

lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/

seclists.org/oss-sec/2022/q3/78

security.netapp.com/advisory/ntap-20220915-0008/

www.debian.org/security/2022/dsa-5254

www.djangoproject.com/weblog/2022/aug/03/security-releases/

www.openwall.com/lists/oss-security/2022/08/03/1

EPSS

0.004

Percentile

74.3%

Related for VERACODE:36601

ubuntucve1 suse1 debiancve1 openvas8 github2 nessus7 freebsd1 ubuntu1 nvd1 alpinelinux1 osv10 prion1 cvelist1 cve1 mageia1 altlinux1 debian1 fedora2