Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:HIGH] django Reflected File Download (RFD) (due by 09/10/2022) #5362

Closed
1 task
Tracked by #137
cnlucas opened this issue Aug 10, 2022 · 0 comments · Fixed by #5369
Closed
1 task
Tracked by #137

[Snyk:HIGH] django Reflected File Download (RFD) (due by 09/10/2022) #5362

cnlucas opened this issue Aug 10, 2022 · 0 comments · Fixed by #5369
Assignees
@rfultz
Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Milestone
Sprint 19.1

Comments

@cnlucas
Copy link
Member

cnlucas commented Aug 10, 2022 

Introduced through
django@3.2.14, cg-django-uaa@2.1.3 and others
Fixed in
django@3.2.15, @4.0.7, @4.1

Exploit maturity
No known exploit

Detailed paths and remediation
Introduced through: project@0.0.0 › cg-django-uaa@2.1.3 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1

Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Completion criteria

  • Verify that this is indeed a vulnerability for us and either complete the remediation or document, close the ticket and snooze the Snyk alert.
@cnlucas cnlucas added Security: high Remediate within 30 days Security: general General security concern or issue labels Aug 10, 2022
@cnlucas cnlucas added this to the Sprint 19.2 milestone Aug 10, 2022
@cnlucas cnlucas mentioned this issue Aug 10, 2022
Closed
1 task
@cnlucas cnlucas modified the milestones: Sprint 19.2, Sprint 19.1 Aug 11, 2022
@cnlucas cnlucas changed the title [Snyk:HIGH] django Reflected File Download (RFD) (due by 09/30/2022) [Snyk:HIGH] django Reflected File Download (RFD) (due by 09/10/2022) Aug 11, 2022
This was referenced Aug 16, 2022
Merged
Closed
@patphongs patphongs mentioned this issue Aug 25, 2022
Closed
1 task
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfultz rfultz

Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 19.1
Development

Successfully merging a pull request may close this issue.

5362 - SNYK Django Reflected File Download fecgov/fec-cms
2 participants
@rfultz @cnlucas