django-s3file Path Traversal Vulnerability Allowing Arbitrary File Access and Deletion

A path traversal vulnerability has been identified in django-s3file versions prior to 5.5.1. This vulnerability allows for traversal of the entire AWS S3 bucket, with the potential to access or delete files. If the AWS_LOCATION setting is configured, the traversal is restricted to that specific location. The vulnerability was discovered by the maintainer, and there were no prior reports of it being known or exploited by third parties before the patch was released.

Impact

Exploitation of this vulnerability could lead to unauthorized access, deletion of files, and in some cases, code injection and remote code execution.

Reproduction

To reproduce this vulnerability, upload a file to a form view that does not validate or sanitize file contents. Then, inject the file into a request by specifying its path in the 'file' form field. The middleware will process the request as if the file was uploaded through the form, bypassing normal validation checks.

Remediation

Users are advised to update to django-s3file version 5.5.1 or later.