Django Unicorn Component State Manipulation Vulnerability

A component state manipulation vulnerability has been identified in Django Unicorn versions prior to 0.67.0. The issue arises from inadequate access control during property updates and method calls, allowing an attacker to bypass the intended '_is_public' protection. This exploitation enables unauthorized modification of internal attributes, such as 'template_name', or the invocation of protected methods. The vulnerability is rooted in the framework's failure to enforce visibility boundaries, allowing sensitive templates to be rendered and component states to be reset by invoking internal methods.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of component states and the rendering of existing templates from the application's configured template directories. However, it does not enable remote code execution.

Reproduction

To reproduce this vulnerability, send a crafted JSON payload to the message endpoint that targets a protected attribute, such as 'template_name'. The payload should be structured to include the desired value, which can be a sensitive template from another installed application. Once the payload is received, the server-side component will update its internal state with the new value. Subsequent re-rendering will display the content of the targeted template, bypassing the intended component logic.

Remediation

Users should update to Django Unicorn version 0.67.0 or later, where this vulnerability has been fixed.