You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduced through
django@3.2.14, cg-django-uaa@2.1.3 and others
Fixed in
django@3.2.15, @4.0.7, @4.1
Exploit maturity
No known exploit
Detailed paths and remediation
Introduced through: project@0.0.0 › cg-django-uaa@2.1.3 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Completion criteria
Verify that this is indeed a vulnerability for us and either complete the remediation or document, close the ticket and snooze the Snyk alert.
The text was updated successfully, but these errors were encountered:
cnlucas
changed the title
[Snyk:HIGH] django Reflected File Download (RFD) (due by 09/30/2022)
[Snyk:HIGH] django Reflected File Download (RFD) (due by 09/10/2022)
Aug 11, 2022
Detailed paths and remediation
Introduced through: project@0.0.0 › cg-django-uaa@2.1.3 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Introduced through: project@0.0.0 › django-jinja@2.7.0 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Completion criteria
The text was updated successfully, but these errors were encountered: