CVE-2020-24584 (High) detected in Django-3.0.2-py3-none-any.whl

[mend-bolt-for-github]

CVE-2020-24584 - High Severity Vulnerability

Vulnerable Library - Django-3.0.2-py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/55/d1/8ade70e65fa157e1903fe4078305ca53b6819ab212d9fbbe5755afc8ea2e/Django-3.0.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• ❌ Django-3.0.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: b61102096aa462e92c4eefd8ddd28d2c045e8489

Vulnerability Details

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

Publish Date: 2020-09-01

URL: CVE-2020-24584

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

Release Date: 2020-09-01

Fix Resolution: 2.2.16,3.0.10,3.1.1

---

Step up your Open Source Security Game with WhiteSource here