[Snyk:HIGH] django Reflected File Download (RFD) (due by 09/10/2022)

[cnlucas]

Introduced through
django@3.2.14, django-haystack@3.1.1 and others
Fixed in
django@3.2.15, @4.0.7, @4.1
Detailed paths and remediation

Introduced through: project@0.0.0 › django@3.2.14
Fix: Upgrade django to version 3.2.15 or 4.0.7 or 4.1

Introduced through: project@0.0.0 › django-haystack@3.1.1 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1
Introduced through: project@0.0.0 › django-mptt@0.13.4 › django-js-asset@2.0.0 › django@3.2.14
Fix: Pin django to version 3.2.15 or 4.0.7 or 4.1

Overview

Affected versions of this package are vulnerable to Reflected File Download (RFD) as it is possible to set the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input.

Completion criteria

• Verify that this is indeed a vulnerability for us and either complete the remediation or document, close the ticket and snooze the Snyk alert.