7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24584

GHSA ID

GHSA-fr28-569j-53c4

EPSS Score

0.80909%

CWE

CWE-276

Published

3/18/2021

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-24584

CVE-2020-24584:
Django Incorrect Default Permissions

An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24584

GHSA ID

GHSA-fr28-569j-53c4

EPSS Score

0.80909%

CWE

CWE-276

Published

3/18/2021

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django	pip	>= 2.2, < 2.2.16	2.2.16
django	pip	>= 3.0, < 3.0.10	3.0.10
django	pip	>= 3.1, < 3.1.1	3.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from intermediate directory permissions in the filesystem cache. The commit diff shows the fix involved wrapping os.makedirs() with umask(0o077) in _createdir. This function's original implementation didn't account for Python 3.7+'s behavior where os.makedirs() doesn't apply mode to existing intermediate directories when exist_ok=True. The direct modification of this function in the security patch confirms its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *j*n*o *.* ***or* *.*.**, *.* ***or* *.*.**, *n* *.* ***or* *.*.* (w**n Pyt*on *.*+ is us**). T** int*rm**i*t*-l*v*l *ir**tori*s o* t** *il*syst*m ***** *** t** syst*m's st*n**r* um*sk r*t**r t**n *o***.

Reasoning

T** vuln*r**ility st*ms *rom int*rm**i*t* *ir**tory p*rmissions in t** *il*syst*m *****. T** *ommit *i** s*ows t** *ix involv** wr*ppin* os.m*k**irs() wit* um*sk(*o***) in _*r**t**ir. T*is *un*tion's ori*in*l impl*m*nt*tion *i*n't ***ount *or Pyt*on

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-24584: Django Incorrect Default Permissions

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-24584:
Django Incorrect Default Permissions

Vulnerability Intelligence
Miggo AI