PT-2014-3643 · Django Software Foundation+1 · Django+1
Benjamin Bach
·
Published
2014-04-22
·
Updated
2022-05-17
·
CVE-2014-0472
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Django versions prior to 1.4.11
Django versions 1.5.x prior to 1.5.6
Django versions 1.6.x prior to 1.6.3
Django versions 1.7.x prior to 1.7 beta 2
Description
The issue allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path." This can be achieved through the django.core.urlresolvers.reverse function.
Recommendations
For Django versions prior to 1.4.11, update to version 1.4.11 or later.
For Django versions 1.5.x prior to 1.5.6, update to version 1.5.6 or later.
For Django versions 1.6.x prior to 1.6.3, update to version 1.6.3 or later.
For Django versions 1.7.x prior to 1.7 beta 2, update to version 1.7 beta 2 or later.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Django
Ubuntu