Skip to content

django-sendfile2 before 0.7.0 contains reflected file download vulnerability

High severity GitHub Reviewed Published Aug 8, 2022 in moggers87/django-sendfile2 • Updated Jan 7, 2023

Package

pip django-sendfile2 (pip)

Affected versions

< 0.7.0

Patched versions

0.7.0

Description

Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: django/django@bd06244

References

@moggers87 moggers87 published to moggers87/django-sendfile2 Aug 8, 2022
Published to the GitHub Advisory Database Aug 11, 2022
Reviewed Aug 11, 2022
Last updated Jan 7, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-pcjh-6r5h-r92r

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.