Vulnerability Details : CVE-2022-36359
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Products affected by CVE-2022-36359
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36359
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36359
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-36359
-
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36359
-
http://www.openwall.com/lists/oss-security/2022/08/03/1
oss-security - Django: CVE-2022-36359: Potential reflected file download vulnerability in FileResponse.Mailing List;Patch;Third Party Advisory
-
https://www.djangoproject.com/weblog/2022/aug/03/security-releases/
Django security releases issued: 4.0.7 and 3.2.15 | Weblog | DjangoPatch;Vendor Advisory
-
https://www.debian.org/security/2022/dsa-5254
Debian -- Security Information -- DSA-5254-1 python-djangoThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
[SECURITY] Fedora 37 Update: python-django-4.0.10-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://docs.djangoproject.com/en/4.0/releases/security/
Archive of security issues | Django documentation | DjangoNot Applicable;Patch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20220915-0008/
CVE-2022-36359 Django Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
[SECURITY] Fedora 38 Update: python-django-4.0.10-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://groups.google.com/g/django-announce/c/8cz--gvaJr4
Django security releases issued: 4.0.7 and 3.2.15.Release Notes;Third Party Advisory
Jump to