CVE-2020-24583

HIGH

Django <2.2.16, 3.0<10, 3.1<1 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

References (11)

Core 11
Core References
Patch, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/dev/releases/security/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4479-1/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/09/01/2
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200918-0004/

Scores

CVSS v3 7.5
EPSS 0.0343
EPSS Percentile 87.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-276
Status published
Products (7)
canonical/ubuntu_linux 20.04
djangoproject/django 2.2 - 2.2.16
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
oracle/zfs_storage_appliance_kit 8.8
pypi/Django 2.2a1 - 2.2.16PyPI
Published Sep 01, 2020
Tracked Since Feb 18, 2026