{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-20T14:42:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"tags": ["x_refsource_MISC"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24583", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.djangoproject.com/en/dev/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM"}, {"name": "https://www.openwall.com/lists/oss-security/2020/09/01/2", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"name": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/", "refsource": "MISC", "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"name": "https://security.netapp.com/advisory/ntap-20200918-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:08.390Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24583", "datePublished": "2020-09-01T12:33:13", "dateReserved": "2020-08-21T00:00:00", "dateUpdated": "2024-08-04T15:19:08.390Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "419C0026-8399-4CEA-AC73-3BCBD26C2FE3", "versionEndExcluding": "2.2.16", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "7353206B-6A09-492C-9B8B-67738124D913", "versionEndExcluding": "3.0.10", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A860912-086E-4556-8636-E50EFC30C3B5", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.1 (cuando es usado Python 3.7+). El modo FILE_UPLOAD_DIRECTORY_PERMISSIONS no fue aplicado a los directorios de nivel intermedio creados en el proceso de carga de archivos. Tampoco se aplic\u00f3 a directorios est\u00e1ticos recopilados de nivel intermedio cuando est\u00e1 usando el comando de administraci\u00f3n collectstatic"}], "id": "CVE-2020-24583", "lastModified": "2023-11-07T03:20:08.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-01T13:15:11.150", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4479-1/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "django: incorrect permissions on intermediate-level directories on Python 3.7+", "id": "1874485", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874485"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-276", "details": ["An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.", "A flaw was found in django. The `FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not applied to intermediate-level directories created when uploading files or to intermediate-level collected static directories when using the `collectstatic` management command. The highest threat from this vulnerability is to data confidentiality."], "name": "CVE-2020-24583", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2020-09-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-24583\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-24583\nhttps://www.djangoproject.com/weblog/2020/sep/01/security-releases/"], "statement": "This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.\n* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.\n* Red Hat Ceph Storage 2 and 3 uses Python 2.X\n* Red Hat Gluster Storage 3 uses Python 2.X", "threat_severity": "Moderate", "upstream_fix": "Django 3.1.1, Django 3.0.10, Django 2.2.16"}