django is vulnerable to information disclosure. The vulnerability exits in set_headers
function in response.py
because the user input for filename in Content-Disposition header is not escaped which allows an attacker to download and gain access to information in the file system.
www.openwall.com/lists/oss-security/2022/08/03/1
bugzilla.suse.com/show_bug.cgi?id=CVE-2022-36359
docs.djangoproject.com/en/4.0/releases/security/
github.com/django/django/commit/46916665f9aa729067ef894e994854ecf9223157
github.com/django/django/commit/b3e4494d759202a3b6bf247fd34455bf13be5b80
github.com/django/django/commit/b7d9529cbe0af4adabb6ea5d01ed8dcce3668fb3
groups.google.com/g/django-announce/c/8cz--gvaJr4
lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
seclists.org/oss-sec/2022/q3/78
security.netapp.com/advisory/ntap-20220915-0008/
www.debian.org/security/2022/dsa-5254
www.djangoproject.com/weblog/2022/aug/03/security-releases/
www.openwall.com/lists/oss-security/2022/08/03/1