CVE-2020-24584

HIGH

Django <2.2.16, <3.0.10, <3.1.1 - Info Disclosure

Title source: llm
STIX 2.1

Description

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4479-1/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2020/09/01/2
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200918-0004/

Scores

CVSS v3 7.5
EPSS 0.0329
EPSS Percentile 87.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-276
Status published
Products (7)
canonical/ubuntu_linux 20.04
djangoproject/django 2.2 - 2.2.16
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
oracle/zfs_storage_appliance_kit 8.8
pypi/Django 2.2 - 2.2.16PyPI
Published Sep 01, 2020
Tracked Since Feb 18, 2026