An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)
References
Link | Resource |
---|---|
https://docs.djangoproject.com/en/dev/releases/security/ | Vendor Advisory |
https://groups.google.com/forum/#%21forum/django-announce | Permissions Required |
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ | Vendor Advisory |
https://docs.djangoproject.com/en/dev/releases/security/ | Vendor Advisory |
https://groups.google.com/forum/#%21forum/django-announce | Permissions Required |
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
16 Jun 2025, 21:39
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* | |
First Time |
Djangoproject
Djangoproject django |
|
References | () https://docs.djangoproject.com/en/dev/releases/security/ - Vendor Advisory | |
References | () https://groups.google.com/forum/#%21forum/django-announce - Permissions Required | |
References | () https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ - Vendor Advisory |
21 Nov 2024, 09:27
Type | Values Removed | Values Added |
---|---|---|
References | () https://docs.djangoproject.com/en/dev/releases/security/ - | |
References | () https://groups.google.com/forum/#%21forum/django-announce - | |
References | () https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ - |
01 Nov 2024, 15:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
CWE | CWE-22 |
11 Jul 2024, 13:05
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
10 Jul 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-10 05:15
Updated : 2025-06-16 21:39
NVD link : CVE-2024-39330
Mitre link : CVE-2024-39330
CVE.ORG link : CVE-2024-39330
JSON object : View
Products Affected
djangoproject
- django
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')