CVE-2024-39330
Published: 9 July 2024
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
Notes
| Author | Note |
|---|---|
Priority reason: Does not affect any of the built-in classes |
|
| alexmurray |
upstream advises that only versions 4.2, 5.0 and 5.1 (plus main development branch) are affected but it is likely earlier versions may also be affected but upstream do not mention this as they are no longer maintained by them |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-django
Launchpad, Ubuntu, Debian |
bionic |
Released
(1:1.11.11-1ubuntu1.21+esm5)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| focal |
Released
(2:2.2.12-1ubuntu0.23)
|
|
| jammy |
Released
(2:3.2.12-2ubuntu1.12)
|
|
| mantic |
Released
(3:4.2.4-1ubuntu2.3)
|
|
| noble |
Released
(3:4.2.11-1ubuntu1.1)
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|