Security Advisories

CGA-hjg4-672p-6268

Published

Last updated

https://images.chainguard.dev/security/CGA-hjg4-672p-6268

Package

py3-django

Latest Update

Fixed

Fixed Version

5.0.7-r0

Aliases

CVE-2024-39330
GHSA-9jmf-237g-qf46

Severity

7.5

High

CVSS V3

Summary

Django Path Traversal vulnerability

Description

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39330
https://github.com/advisories/GHSA-9jmf-237g-qf46
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
https://github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270
https://docs.djangoproject.com/en/dev/releases/security
https://github.com/django/django
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-58.yaml
https://groups.google.com/forum/#%21forum/django-announce
https://www.djangoproject.com/weblog/2024/jul/09/security-releases

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-hjg4-672p-6268

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources