SB2020091027 - Multiple vulnerabilities in Django
Published: September 10, 2020 Updated: September 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Incorrect default permissions (CVE-ID: CVE-2020-24583)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application when "FILE_UPLOAD_DIRECTORY_PERMISSIONS" mode was not applied to intermediate-level directories created in the process of uploading files. A remote attacker can view contents of files and directories.
2) Incorrect default permissions (CVE-ID: CVE-2020-24584)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the intermediate-level directories of the filesystem cache have the system's standard umask rather than 0o077. A remote attacker can view contents of files and directories.
Remediation
Install update from vendor's website.
References
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#!topic/django-announce/Gdqn58RqIDM
- https://groups.google.com/forum/#!topic/django-announce/zFCMdgUnutU
- https://usn.ubuntu.com/4479-1/
- https://www.djangoproject.com/weblog/2020/sep/01/security-releases/
- https://www.openwall.com/lists/oss-security/2020/09/01/2