CVE-2022-24840

Name of the Vulnerable Software and Affected Versions django-s3file versions prior to 5.5.1

Description The issue allows an attacker to traverse the entire AWS S3 bucket and in most cases access or delete files. If the AWS LOCATION setting was set, traversal was limited to that location only. The problem was discovered by the maintainer, and there were no reports of it being known to or exploited by a third party before the release of the patch. An attacker may use a request with malicious form data to perform destructive operations.

Recommendations For versions prior to 5.5.1, update to version 5.5.1 or above to fix the issue. There is no feasible workaround, and all users are urged to immediately update to a patched version. As a temporary measure, consider restricting access to sensitive files and locations in the AWS S3 bucket until the update is applied.