An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.)

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:6428 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: Django: Potential SQL injection in QuerySet.values() and values_list()     (CVE-2024-42005)
    * automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize()     and AdminURLFieldWidget (CVE-2024-41991)
    * automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize()     (CVE-2024-41990)
    * automation-controller: python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats     (CVE-2024-33663)
    * automation-controller: python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-     django (CVE-2024-32879)
    * automation-controller: Gain access to the k8s API server via job execution with Container Group     (CVE-2024-6840)
    * python3/python39-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)
    * python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and     AdminURLFieldWidget (CVE-2024-41991)
    * python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize()     (CVE-2024-41990)
    * python3/python39-django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)
    * python3/python39-django: Potential denial-of-service in     django.utils.translation.get_supported_language_variant() (CVE-2024-39614)
    * python3/python39-django: Potential directory-traversal in django.core.files.storage.Storage.save()     (CVE-2024-39330)
    * python3/python39-django: Username enumeration through timing difference for users with unusable     passwords (CVE-2024-39329)
    * python3/python39-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)
    * python3/python39-grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the     proxy and the backend (CVE-2024-7246)
    * python3/python39-zipp: Denial of Service (infinite loop) via crafted zip file (CVE-2024-5569)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * Updated the receptor to not automatically release the receptor work unit when     RECEPTOR_KEEP_WORK_ON_ERROR is set to true (AAP-27635)
    * Updated the Help link in the REST API to point to the latest API Reference documentation (AAP-27573)
    * Fixed a timeout error in the UI when trying to load the Activity Stream (AAP-26772)
    * automation-controller has been updated to 4.5.10

    Updates and fixes for automation hub:
    * API browser now correctly escapes JSON values (AAH-3272, AAP-14463)
    * python3/python39-pulpcore has been updated to 3.28.31
    * python3/python39-pulp-ansible has been updated to 0.20.8

    Additional fixes:
    * Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364)
    * python3/python39-django has been updated to 4.2.15
    * python3/python39-grpcio has been updated to 1.58.3
    * python3/python39-jmespath has been updated to 0.10.0-5
    * python3/python39-zipp has been updated to 3.19.2

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2577-1 advisory.

    - CVE-2024-38875: Fixed potential denial-of-service attack via certain inputs with a very large number of     brackets (bsc#1227590)
    - CVE-2024-39329: Fixed username enumeration through timing difference for users with unusable passwords     (bsc#1227593)
    - CVE-2024-39330: Fixed potential directory traversal in django.core.files.storage.Storage.save()     (bsc#1227594)
    - CVE-2024-39614: Fixed potential denial-of-service through     django.utils.translation.get_supported_language_variant() (bsc#1227595)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2545-1 advisory.

    - CVE-2024-38875: Fixed potential denial-of-service attack via certain inputs with a very large number of     brackets (bsc#1227590)
    - CVE-2024-39329: Fixed username enumeration through timing difference for users with unusable passwords     (bsc#1227593)
    - CVE-2024-39330: Fixed potential directory traversal in django.core.files.storage.Storage.save()     (bsc#1227594)
    - CVE-2024-39614: Fixed potential denial-of-service through     django.utils.translation.get_supported_language_variant() (bsc#1227595)
    - CVE-2023-23969: Fixed potential denial-of-service via Accept-Language headers (bsc#1207565)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6888-2 advisory.

    USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for     Ubuntu 18.04 LTS.



Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 171afa61-3eba-11ef-a58f-080027836e8b advisory.

    Django reports:
    CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize().
    CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords.
    CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save().
    CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant().

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6888-1 advisory.

    Elias Myllymki discovered that Django incorrectly handled certain inputs with a large number of     brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop     responding, resulting in a denial of service. (CVE-2024-38875)

    It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote     attacker could possibly use this issue to perform a timing attack and enumerate users. (CVE-2024-39329)

    Josh Schneier discovered that Django incorrectly handled file path validation when the storage class is     being derived. A remote attacker could possibly use this issue to save files into arbitrary directories.
    (CVE-2024-39330)

    It was discovered that Django incorrectly handled certain long strings that included a specific set of     characters. A remote attacker could possibly use this issue to cause Django to consume resources or stop     responding, resulting in a denial of service. (CVE-2024-39614)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206781	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:6428)	Nessus	Red Hat Local Security Checks	high
203002	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2024:2577-1)	Nessus	SuSE Local Security Checks	medium
202588	openSUSE 15 Security Update : python-Django (SUSE-SU-2024:2545-1)	Nessus	SuSE Local Security Checks	high
202186	Ubuntu 18.04 LTS : Django vulnerabilities (USN-6888-2)	Nessus	Ubuntu Local Security Checks	medium
202142	FreeBSD : Django -- multiple vulnerabilities (171afa61-3eba-11ef-a58f-080027836e8b)	Nessus	FreeBSD Local Security Checks	medium
202084	Ubuntu 20.04 LTS / 22.04 LTS / 23.10 / 24.04 LTS : Django vulnerabilities (USN-6888-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2024-39330

medium

Tenable Plugins

high

medium

high

medium

medium

medium