CVE-2022-36359
Publication date 3 August 2022
Last updated 25 August 2025
Ubuntu priority
Description
An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | ||
| 22.04 LTS jammy |
Fixed 2:3.2.12-2ubuntu1.2
|
|
| 20.04 LTS focal |
Fixed 2:2.2.12-1ubuntu0.13
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5549-1
- Django vulnerability
- 4 August 2022