Bug 1874485 (CVE-2020-24583) - CVE-2020-24583 django: incorrect permissions on intermediate-level directories on Python 3.7+
Summary: CVE-2020-24583 django: incorrect permissions on intermediate-level directorie...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-24583
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874486 1874487 1874488 1874489 1874924
Blocks: 1874498
TreeView+ depends on / blocked
 
Reported: 2020-09-01 13:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
31 users (show)

Fixed In Version: Django 3.1.1, Django 3.0.10, Django 2.2.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. The `FILE_UPLOAD_DIRECTORY_PERMISSIONS` mode was not applied to intermediate-level directories created when uploading files or to intermediate-level collected static directories when using the `collectstatic` management command. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2020-09-28 14:40:52 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-09-01 13:37:04 UTC
On Python 3.7+, ``FILE_UPLOAD_DIRECTORY_PERMISSIONS`` mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the ``collectstatic`` management command.

Reference:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2020-09-01 13:37:42 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1874488]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1874486]
Affects: fedora-all [bug 1874487]
Affects: openstack-rdo [bug 1874489]

Comment 4 Riccardo Schirone 2020-09-03 07:20:21 UTC
This only affects Django running on Python 3.7+ due to some changes in how os.makedirs behaves. From the Python documentation, "Changed in version 3.7: The mode argument [of os.makedirs] no longer affects the file permission bits of newly-created intermediate-level directories.". For this reason, users of os.makedirs, like Django, should set the umask accordingly if they want the intermediate-level directories to have the proper permissions.

Comment 9 Sage McTaggart 2020-09-25 21:32:47 UTC
External References:

https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

Comment 11 Hardik Vyas 2020-09-28 13:09:42 UTC
Statement:

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
* Red Hat Ceph Storage 2 and 3 uses Python 2.X
* Red Hat Gluster Storage 3 uses Python 2.X

Comment 12 Product Security DevOps Team 2020-09-28 14:40:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24583


Note You need to log in before you can comment on or make changes to this bug.