Django is vulnerable to Path Traversal. The vulnerability is due to derived classes of the django.core.files.storage.Storage
base class that override generate_filename()
without replicating the file-path validations from the parent class, potentially allowing path traversal via certain inputs during a save()
call.
docs.djangoproject.com/en/dev/releases/security/
github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270
groups.google.com/forum/#%21forum/django-announce
www.djangoproject.com/weblog/2024/jul/09/security-releases/