Rainer Koirikivi

**Name of the Vulnerable Software and Affected Versions** Django versions 1.4.x through 1.4.6 Django versions 1.5.x through 1.5.2 Django versions 1.6.x through 1.6 beta 2 **Description** The issue allows remote attackers to read arbitrary files via a file path in the ALLOWED INCLUDE ROOTS setting followed by a `..` (dot dot) in a ssi template tag. This is a directory traversal vulnerability. **Recommendations** For Django versions 1.4.x through 1.4.6, update to version 1.4.7 or later. For Django versions 1.5.x through 1.5.2, update to version 1.5.3 or later. For Django versions 1.6.x through 1.6 beta 2, update to version 1.6 beta 3 or later. As a temporary workaround, consider restricting access to the ALLOWED INCLUDE ROOTS setting and ssi template tags to minimize the risk of exploitation.