Bug 1227594 (CVE-2024-39330)

Summary: VUL-0: CVE-2024-39330: python-Django: potential directory traversal in django.core.files.storage.Storage.save()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Nico Krapp <nico.krapp>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: aplanas, camila.matos, nico.krapp
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/413231/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39330:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-09 18:48:13 UTC 
CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save()
=========================================================================================

Derived classes of the ``django.core.files.storage.Storage`` base class
which override ``generate_filename()`` without replicating the file path
validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling ``save()``.

Built-in ``Storage`` sub-classes were not affected by this vulnerability.

Thanks to Josh Schneier for the report.

This issue has severity "low" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 5.1 (currently at beta status)
* Django 5.0
* Django 4.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main, 5.1, 5.0, and 4.2 branches. The patches may be obtained from the  following changesets.

CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save()
-----------------------------------------------------------------------------------------

* On the `main branch <
https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d
* On the `5.1 branch <
https://github.com/django/django/commit/6d36203648a7e14abc89b9aeb8ae9678535b51fb
* On the `5.0 branch <
https://github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270
* On the `4.2 branch <
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e

The following releases have been issued
=======================================

* Django 5.0.7 (`download Django 5.0.7
  <https://www.djangoproject.com/m/releases/5.0/Django-5.0.7.tar.gz>`_ |
  `5.0.7 checksums
  <https://www.djangoproject.com/m/pgp/Django-5.0.7.checksum.txt>`_)
* Django 4.2.14 (`download Django 4.2.14
  <https://www.djangoproject.com/m/releases/4.2/Django-4.2.14.tar.gz>`_ |
  `4.2.14 checksums
  <https://www.djangoproject.com/m/pgp/Django-4.2.14.checksum.txt>`_)

The PGP key ID used for this release is Natalia Bidart: `2EE82A8D9470983E <
https://github.com/nessita.gpg>`_

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39330
https://seclists.org/oss-sec/2024/q3/39
https://github.com/django/django/commit/fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d
https://github.com/django/django/commit/6d36203648a7e14abc89b9aeb8ae9678535b51fb
https://github.com/django/django/commit/9f4f63e9ebb7bf6cb9547ee4e2526b9b96703270
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
Comment 6 Maintenance Automation 2024-07-17 16:30:10 UTC 
SUSE-SU-2024:2545-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1207565, 1227590, 1227593, 1227594, 1227595
CVE References: CVE-2023-23969, CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, CVE-2024-39614
Maintenance Incident: [SUSE:Maintenance:34811](https://smelt.suse.de/incident/34811/)
Sources used:
openSUSE Leap 15.5 (src):
 python-Django-2.0.7-150000.1.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 OBSbugzilla Bot 2024-07-17 18:15:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1227594) was mentioned in
https://build.opensuse.org/request/show/1188243 Factory / python-Django