BIT-django-2024-39330
Directory Traversal vulnerability in django (PyPI)
What is BIT-django-2024-39330 About?
This directory traversal vulnerability affects Django versions 5.0 (before 5.0.7) and 4.2 (before 4.2.14). It arises when derived `Storage` classes override `generate_filename()` without replicating file-path validations, allowing attackers to perform directory traversal via `save()` calls. Exploitation is possible through specific inputs and can lead to arbitrary file creation or modification.
Affected Software
- django
- >5.0, <5.0.7
- >4.2, <4.2.14
Technical Details
The vulnerability occurs in Django applications that utilize custom storage backends by extending django.core.files.storage.Storage. Specifically, if a derived Storage class overrides the generate_filename() method but fails to replicate the necessary file-path sanitization and validation logic present in the parent class, it becomes susceptible. An attacker can provide specially crafted file names or paths during a save() operation that include directory traversal sequences (e.g., ../, ..\). Because the custom generate_filename() method does not properly neutralize these sequences, the resulting file path resolves outside the intended upload directory. This allows the attacker to create or overwrite files in arbitrary locations on the server's file system that are accessible to the Django process, potentially leading to arbitrary code execution, configuration file tampering, or denial of service by overwriting critical system files.
What is the Impact of BIT-django-2024-39330?
Successful exploitation may allow attackers to create or overwrite arbitrary files on the server's file system, potentially leading to remote code execution, server compromise, or denial of service.
What is the Exploitability of BIT-django-2024-39330?
Exploitation requires an attacker to submit input that is eventually used to construct a file path via a vulnerable custom Storage class's save() method. This typically involves remote access through a web interface that allows file uploads. Authentication might be required depending on whether the upload functionality is restricted. No specific privileges beyond those needed to upload files are essential. The complexity is moderate, as it requires the attacker to understand the application's file handling logic and the absence of proper sanitization in a custom generate_filename() implementation. This is a remote exploitation scenario. The main precondition is the use of a custom Storage backend that incorrectly overrides generate_filename(). Risk factors are significantly increased if the application allows untrusted users to upload files and relies on a bespoke storage implementation without robust path validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-39330?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.14 → Upgrade to 4.2.14
- django
- >5.0, <5.0.7 → Upgrade to 5.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-58.yaml
- https://github.com/django/django
- https://osv.dev/vulnerability/GHSA-9jmf-237g-qf46
- https://github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270
- https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
What are Similar Vulnerabilities to BIT-django-2024-39330?
Similar Vulnerabilities: CVE-2023-38048 , CVE-2022-41804 , CVE-2021-44228 , CVE-2020-25633 , CVE-2019-12384
