PT-2014-5471 · Django Software Foundation · Django

Gavin Wahl

Published

2014-05-15

Updated

2022-05-14

CVE-2014-3730

CVSS v4.0

7.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Name of the Vulnerable Software and Affected Versions Django versions 1.4 through 1.4.12 Django versions 1.5 through 1.5.7 Django versions 1.6 through 1.6.4 Django versions 1.7 through 1.7b3

Description The django.util.http.is safe url function does not properly validate URLs, allowing remote attackers to conduct open redirect attacks via a malformed URL.

Recommendations For Django versions 1.4 through 1.4.12, update to version 1.4.13 or later. For Django versions 1.5 through 1.5.7, update to version 1.5.8 or later. For Django versions 1.6 through 1.6.4, update to version 1.6.5 or later. For Django versions 1.7 through 1.7b3, update to version 1.7b4 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2014-3730

DSA-2934-1

GHSA-VQ3H-3Q7V-9PRW

MGASA-2014-0231

PYSEC-2014-20

USN-2212-1

Affected Products

Django

PT-2014-5471 · Django Software Foundation · Django

CVE-2014-3730

Weakness Enumeration

Related Identifiers

Affected Products

References · 29