CVE-2024-39330

Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6

Description The issue is related to derived classes of the django.core.files.storage.Storage base class that override the generate filename() function without replicating the file-path validations from the parent class. This potentially allows directory traversal via certain inputs during a save() call. The built-in Storage sub-classes are unaffected. The vulnerability is associated with incorrect restriction of the file path name, which may allow a remote attacker to write arbitrary files.

Recommendations For Django versions 4.2 through 4.2.13, update to version 4.2.14 or later. For Django versions 5.0 through 5.0.6, update to version 5.0.7 or later. As a temporary workaround, consider disabling the generate filename() function in derived classes of django.core.files.storage.Storage until a patch is available. Restrict access to the save() method to minimize the risk of exploitation. Avoid using the generate filename() function without proper file-path validations until the issue is resolved.