Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wY2poLTZyNWgtcjkycs4AAt8D
django-sendfile2 before 0.7.0 contains reflected file download vulnerability
Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack. A new version of django-sendfile2 will be released. Either download django-sendfile2 0.7.0 as a workaround or sanitize user input yourself, using Django's patch as a template: https://github.com/django/django/commit/bd062445cffd3f6cc6dcd20d13e2abed818fa173
Permalink: https://github.com/advisories/GHSA-pcjh-6r5h-r92rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wY2poLTZyNWgtcjkycs4AAt8D
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-pcjh-6r5h-r92r
References:
- https://github.com/moggers87/django-sendfile2/security/advisories/GHSA-pcjh-6r5h-r92r
- https://github.com/moggers87/django-sendfile2/commit/4c370859023292e3715200a57843f86c5ef3cd77
- https://github.com/moggers87/django-sendfile2/releases/tag/v0.7.0
- https://github.com/advisories/GHSA-pcjh-6r5h-r92r
Blast Radius: 0.0
Affected Packages
pypi:django-sendfile2
Dependent packages: 6Dependent repositories: 177
Downloads: 25,476 last month
Affected Version Ranges: < 0.7.0
Fixed in: 0.7.0
All affected versions: 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.1, 0.6.0, 0.6.1
All unaffected versions: 0.7.0, 0.7.1