Django 3.2/4.0 RFD via FileResponse CD header before 3.2.15/4.0.7
CVE-2022-36359 Published on August 3, 2022

An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory NVD

Products Associated with CVE-2022-36359

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-36359 are published in these products:

Django Project Django

Debian Linux

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-36359

Package Manager	Vulnerable Package	Versions	Fixed In
pip	django-sendfile2	< 0.7.0	0.7.0

Exploit Probability

EPSS

0.79%

Percentile

73.55%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Django 3.2/4.0 RFD via FileResponse CD header before 3.2.15/4.0.7CVE-2022-36359 Published on August 3, 2022

Products Associated with CVE-2022-36359

Vulnerable Packages

Exploit Probability

Django 3.2/4.0 RFD via FileResponse CD header before 3.2.15/4.0.7
CVE-2022-36359 Published on August 3, 2022