Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] django Arbitrary File Upload (due by 07/09/2023) #5726

Closed
1 task
Tracked by #137
cnlucas opened this issue May 10, 2023 · 0 comments · Fixed by #5755
Closed
1 task
Tracked by #137

[Snyk:Medium] django Arbitrary File Upload (due by 07/09/2023) #5726

cnlucas opened this issue May 10, 2023 · 0 comments · Fixed by #5755
Assignees
@cnlucas
Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Milestone
Sprint 21.6

Comments

@cnlucas
Copy link
Member

cnlucas commented May 10, 2023
edited

Introduced through
django@3.2.18, django-jinja@2.10.2 and others
Fixed in
django@3.2.19, @4.1.9, @4.2.1

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › django@3.2.18
Fix: Upgrade django to version 3.2.19 or 4.1.9 or 4.2.1

Introduced through: project@0.0.0 › django-jinja@2.10.2 › django@3.2.18
Fix: Pin django to version 3.2.19 or 4.1.9 or 4.2.1
Introduced through: project@0.0.0 › django-storages@1.7.1 › django@3.2.18
Fix: Pin django to version 3.2.19 or 4.1.9 or 4.2.1

…and 8 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS 5.3](https://security.snyk.io/vuln/SNYK-PYTHON-DJANGO-5496950) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Arbitrary File Upload by bypassing of validation of all but the last file when uploading multiple files using a single forms.FileField or forms.ImageField.

Completion criteria

  • We have either remediated the vulnerability, or determined it does not affect us and the warning is snoozed
@cnlucas cnlucas added Security: moderate Remediate within 60 days Security: general General security concern or issue labels May 10, 2023
@cnlucas cnlucas added this to the PI 21 innovation milestone May 10, 2023
@cnlucas cnlucas mentioned this issue May 10, 2023
Closed
2 tasks
@cnlucas cnlucas changed the title django Arbitrary File Upload (due by 07/09/2023) [Snyk:Medium] django Arbitrary File Upload (due by 07/09/2023) May 10, 2023
@cnlucas cnlucas mentioned this issue May 10, 2023
Closed
3 tasks
This was referenced May 17, 2023
Closed
Closed
@tmpayton tmpayton mentioned this issue May 31, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Jun 1, 2023
Merged
@tmpayton tmpayton mentioned this issue Jun 7, 2023
Closed
3 tasks
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 21.6
Development

Successfully merging a pull request may close this issue.

5726-upgrade django and requests fecgov/fec-cms
2 participants
@JonellaCulmer @cnlucas