Your submission was sent successfully! Close

CVE-2022-36359

Published: 3 August 2022

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
bionic Not vulnerable

focal
Released (2:2.2.12-1ubuntu0.13)
jammy
Released (2:3.2.12-2ubuntu1.2)
kinetic
Released (3:3.2.15-1)
trusty Not vulnerable

upstream Needs triage

xenial Not vulnerable