Bug 1874492 (CVE-2020-24584) - CVE-2020-24584 django: permission escalation in intermediate-level directories of the file system cache on Python 3.7+
Summary: CVE-2020-24584 django: permission escalation in intermediate-level directorie...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-24584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874493 1874495 1874496 1874494
Blocks: 1874498
TreeView+ depends on / blocked
 
Reported: 2020-09-01 13:39 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-10-12 13:03 UTC (History)
32 users (show)

Fixed In Version: Django 3.1.1, Django 3.0.10, Django 2.2.16
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in django. The intermediate-level directories of the file system cache had the system's standard umask rather than `0o077` (no group or others permissions). The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2020-09-28 14:40:57 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-09-01 13:39:43 UTC
On Python 3.7+, the intermediate-level directories of the file system cache had the system's standard umask rather than ``0o077`` (no group or others permissions).

Reference:
https://www.djangoproject.com/weblog/2020/sep/01/security-releases/

Comment 1 Guilherme de Almeida Suckevicz 2020-09-01 13:40:23 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1874495]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1874493]
Affects: fedora-all [bug 1874494]
Affects: openstack-rdo [bug 1874496]

Comment 7 amctagga 2020-09-25 21:30:01 UTC
External References:

https://www.djangoproject.com/weblog/2020/sep/01/security-releases

Comment 9 Hardik Vyas 2020-09-28 13:10:29 UTC
Statement:

This flaw can only be triggered in Django by using Python version 3.7 and newer. While the flawed package is shipped with the below Red Hat products, the flaw cannot be activated without manually updating Python to a newer release. This change would break many features and is an unsupported configuration.

* Red Hat OpenStack Platform versions 15 and 16 ship Python 3.6.8; 10 and 13 ship Python 2.X.
* Red Hat Ceph Storage 2 and 3 uses Python 2.X
* Red Hat Gluster Storage 3 uses Python 2.X

Comment 10 Product Security DevOps Team 2020-09-28 14:40:57 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-24584


Note You need to log in before you can comment on or make changes to this bug.