{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-20T14:42:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"tags": ["x_refsource_MISC"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-24584", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.djangoproject.com/en/dev/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"name": "https://www.oracle.com/security-alerts/cpujan2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM"}, {"name": "https://www.openwall.com/lists/oss-security/2020/09/01/2", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"name": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/", "refsource": "MISC", "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"name": "https://security.netapp.com/advisory/ntap-20200918-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:19:08.642Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "USN-4479-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4479-1/"}, {"name": "FEDORA-2020-94407454d7", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"name": "FEDORA-2020-6941c0a65b", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"name": "FEDORA-2020-9c6b391162", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-24584", "datePublished": "2020-09-01T12:36:06", "dateReserved": "2020-08-21T00:00:00", "dateUpdated": "2024-08-04T15:19:08.642Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "419C0026-8399-4CEA-AC73-3BCBD26C2FE3", "versionEndExcluding": "2.2.16", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "7353206B-6A09-492C-9B8B-67738124D913", "versionEndExcluding": "3.0.10", "versionStartIncluding": "3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A860912-086E-4556-8636-E50EFC30C3B5", "versionEndExcluding": "3.1.1", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Django versiones 2.2 anteriores a 2.2.16, versiones 3.0 anteriores a 3.0.10 y versiones 3.1 anteriores a 3.1.1 (cuando es usado Python 3.7+). Los directorios de nivel intermedio de la cach\u00e9 del sistema de archivos ten\u00edan la umask est\u00e1ndar del sistema en lugar de 0o077"}], "id": "CVE-2020-24584", "lastModified": "2023-11-07T03:20:08.543", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-01T13:15:11.197", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/Gdqn58RqIDM"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/zFCMdgUnutU"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2ZHO3GZCJMP3DDTXCNVFV6ED3W64NAU/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OLGFFLMF3X6USMJD7V5F5P4K2WVUTO3T/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCRPQCBTV3RZHKVZ6K6QOAANPRZQD3GI/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200918-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4479-1/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2020/sep/01/security-releases/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/09/01/2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+", "id": "1874492", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874492"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-276", "details": ["An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.", "A flaw was found in django. The intermediate-level directories of the file system cache had the system's standard umask rather than `0o077` (no group or others permissions). The highest threat from this vulnerability is to data confidentiality."], "name": "CVE-2020-24584", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2020-09-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-24584\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-24584\nhttps://www.djangoproject.com/weblog/2020/sep/01/security-releases"], "statement": "This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.\n* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.\n* Red Hat Ceph Storage 2 and 3 uses Python 2.X\n* Red Hat Gluster Storage 3 uses Python 2.X", "threat_severity": "Moderate", "upstream_fix": "Django 3.1.1, Django 3.0.10, Django 2.2.16"}