Skip to content
This repository was archived by the owner on Mar 27, 2025. It is now read-only.

Reflected file download vulnerability

High
moggers87 published GHSA-pcjh-6r5h-r92r Aug 8, 2022

Package

pip django-sendfile2 (pip)

Affected versions

<0.6.1

Patched versions

0.7.0

Description

Impact

Similar to CVE-2022-36359 for Django, django-sendfile2 did not protect against a reflected file download attack in version 0.6.1 and earlier. If the file name used by django-sendfile2 was derived from user input, then it would be possible to perform a such an attack.

Patches

A new version of django-sendfile2 will be released.

Workarounds

Either download django-sendfile2 0.7.0 or sanitize user input yourself, using Django's patch as a template: django/django@bd06244

References

Severity

High

CVE ID

No known CVE

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Credits