CVE-2022-36359: 
Django vulnerability analysis and mitigation

A reflected file download (RFD) vulnerability was discovered in Django versions 3.2 before 3.2.15 and 4.0 before 4.0.7, identified as CVE-2022-36359. The vulnerability affects the HTTP FileResponse class when the filename is derived from user-supplied input, potentially allowing attackers to manipulate the Content-Disposition header (Django Security, NVD).

The vulnerability exists in the HTTP FileResponse class of Django where the Content-Disposition header could be manipulated when the filename parameter is derived from user-supplied input. The issue was addressed by implementing proper escaping of the filename parameter to prevent potential RFD attacks (Django Security). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The issue has been classified as having high severity according to Django's security policy (NetApp Advisory).

The vulnerability has been fixed in Django versions 4.0.7 and 3.2.15. Users are strongly encouraged to upgrade to these patched versions. The fixes include proper escaping of filenames in the FileResponse class. Patches have been applied to Django's main branch and the 4.1, 4.0, and 3.2 release branches (Django Security).

The vulnerability was responsibly disclosed by security researcher Motoyasu Saburi. Various organizations and Linux distributions have issued security advisories and patches in response to this vulnerability, including NetApp, Debian, and Fedora (Debian Security, Fedora Update).