CVE-2022-24840 – CVE-2022-24840 is a path traversal vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2022-24840 is a path traversal vulnerability in django-s3file that allows attackers to access or delete files across an entire AWS S3 bucket. All users of django-s3file versions before 5.5.1 are affected, particularly those using the library for file uploads in Django applications with Amazon S3 storage.

💻 Affected Systems

Products:

django-s3file

Versions: All versions prior to 5.5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: If AWS_LOCATION setting is configured, traversal is limited to that location but still vulnerable within that scope.

📦 What is this software?

Django S3file by Django S3file Project

View all CVEs affecting Django S3file →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all files in the S3 bucket, including sensitive data exposure, data deletion, and potential service disruption.

🟠

Likely Case

Unauthorized access to sensitive files stored in S3, potentially including user uploads, configuration files, or application data.

🟢

If Mitigated

Limited impact if AWS_LOCATION setting restricts traversal scope, but still potential access to files within that location.

🌐 Internet-Facing: HIGH - Web applications using django-s3file are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by malicious insiders or through other compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability was discovered by the maintainer with no reports of third-party exploitation prior to patch release.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.5.1 and above

Vendor Advisory: https://github.com/codingjoe/django-s3file/security/advisories/GHSA-4w8f-hjm9-xwgf

Restart Required: Yes

Instructions:

1. Update django-s3file package using pip: pip install django-s3file>=5.5.1
2. Restart your Django application
3. Verify the update with: pip show django-s3file

🔧 Temporary Workarounds

No feasible workaround

all

The maintainer states there is no feasible workaround for this vulnerability.

🧯 If You Can't Patch

Implement strict S3 bucket policies to limit access and prevent deletion operations
Enable S3 bucket versioning and MFA delete to protect against data loss

🔍 How to Verify

Check if Vulnerable:

Check django-s3file version: pip show django-s3file | grep Version

Check Version:

pip show django-s3file | grep Version

Verify Fix Applied:

Confirm version is 5.5.1 or higher: pip show django-s3file | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual S3 access patterns, unexpected file deletions, access attempts outside expected paths

Network Indicators:

HTTP requests to django-s3file endpoints with path traversal patterns

SIEM Query:

source="aws:s3" AND (eventName="DeleteObject" OR eventName="GetObject") AND errorCode IS NULL AND userAgent CONTAINS "django-s3file"

📊 Metadata

CVE ID: CVE-2022-24840

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: June 9, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/codingjoe/django-s3file/commit/68ccd2c621a40eb66fdd6af2be9d5fcc9c373318 Patch,Third Party Advisory
https://github.com/codingjoe/django-s3file/security/advisories/GHSA-4w8f-hjm9-xwgf Exploit,Third Party Advisory
https://github.com/codingjoe/django-s3file/commit/68ccd2c621a40eb66fdd6af2be9d5fcc9c373318 Patch,Third Party Advisory
https://github.com/codingjoe/django-s3file/security/advisories/GHSA-4w8f-hjm9-xwgf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24840, you might also want to check these: