1874492 – (CVE-2020-24584) CVE-2020-24584 django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+

Bug 1874492 (CVE-2020-24584) - CVE-2020-24584 django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+

Summary: CVE-2020-24584 django: permission escalation in intermediate-level directorie...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-24584
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1874493 1874495 1874494 1874496
Blocks:	1874498
TreeView+	depends on / blocked

Reported:	2020-09-01 13:39 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-12-14 18:47 UTC (History)
CC List:	31 users (show)
Fixed In Version:	Django 3.1.1, Django 3.0.10, Django 2.2.16
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in django. The intermediate-level directories of the file system cache had the system's standard umask rather than `0o077` (no group or others permissions). The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:	2020-09-28 14:40:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-09-01 13:39:43 UTC

On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than ``0o077`` (no group or others permissions).

Reference:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2020-09-01 13:40:23 UTC

Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1874495]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1874493]
Affects: fedora-all [bug 1874494]
Affects: openstack-rdo [bug 1874496]

Comment 2 Riccardo Schirone 2020-09-03 07:23:14 UTC

Upstream fix:
https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71

Comment 7 Sage McTaggart 2020-09-25 21:30:01 UTC

External References:

https://www.djangoproject.com/weblog/2020/sep/01/security-releases

Comment 9 Hardik Vyas 2020-09-28 13:10:29 UTC

Statement:

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
* Red Hat Ceph Storage 2 and 3 uses Python 2.X
* Red Hat Gluster Storage 3 uses Python 2.X

Comment 10 Product Security DevOps Team 2020-09-28 14:40:57 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24584

Note You need to log in before you can comment on or make changes to this bug.

apevec
bbuckingham
bcourt
bkearney
btotty
dbecker
hhudgeon
hvyas
jal233
jjoyce
jschluet
kbasil
lhh
lpeer
lzap
mburns
mhroncok
michel
mmccune
mrunge
nmoumoul
puebele
rchan
rdopiera
rhos-maint
rjerrido
sclewis
sgallagh
slavek.kabrda
slinaber
sokeeffe