High severityNVD Advisory· Published Aug 4, 2009· Updated Jun 16, 2026
CVE-2009-2659
CVE-2009-2659
Description
The Admin media handler in core/servers/basehttp.py in Django 1.0 and 0.96 does not properly map URL requests to expected "static media files," which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a crafted URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 0.96.0, < 0.96.4 | 0.96.4 |
DjangoPyPI | >= 1.0, < 1.0.3 | 1.0.3 |
Affected products
3cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:django_project:django:0.96:*:*:*:*:*:*:*
- cpe:2.3:a:django_project:django:1.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
16- www.djangoproject.com/weblog/2009/jul/28/security/nvdPatchVendor Advisory
- github.com/advisories/GHSA-9xg7-gg9m-rmq9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-2659ghsaADVISORY
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- code.djangoproject.com/changeset/11353nvdWEB
- www.djangoproject.com/weblog/2009/jul/28/securityghsaWEB
- www.openwall.com/lists/oss-security/2009/07/29/2nvdWEB
- github.com/django/django/commit/da85d76fd6ca846f3b0ff414e042ddb5e62e2e69ghsaWEB
- github.com/django/django/commit/df7f917b7f51ba969faa49d000ffc79572c5dcb4ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2009-3.yamlghsaWEB
- web.archive.org/web/20111211001428/http://www.securityfocus.com/bid/35859ghsaWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00055.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00069.htmlnvdWEB
- secunia.com/advisories/36137nvd
- secunia.com/advisories/36153nvd
- www.securityfocus.com/bid/35859nvd
News mentions
0No linked articles in our index yet.