Debian 10 DLA-3164-1 Critical: Django Permissions And Cache Threats
debian lts
October 28, 2022
Multiple vulnerabilities were discovered in Django, a popular Python-based web development framework: * CVE-2020-24583: Fix incorrect permissions on intermediate-level
Topics Covered
Summary
* CVE-2020-24583: Fix incorrect permissions on intermediate-level
directories on Python 3.7+. FILE_UPLOAD_DIRECTORY_PERMISSIONS mode
was not applied to intermediate-level directories created in the
process of uploading files and to intermediate-level collected
static directories when using the collectstatic management
command. You should review and manually fix permissions on
existing intermediate-level directories.
* CVE-2020-24584: Correct permission escalation vulnerability in
intermediate-level directories of the file system cache. On Python
3.7 and above, the intermediate-level directories of the file
system cache had the system's standard umask rather than 0o077 (no
group or others permissions).
* CVE-2021-3281: Fix a potential directory-traversal exploit via
archive.extract(). The django.utils.archive.extract() function,
used by startapp --template and startproject --template, allowed
directory traversal via an archive with absolute paths or relative
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python-django
Version: 1:1.11.29-1+deb10u2
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!