cvelistv5 - CVE-2014-0472

CVE-2014-0472 (GCVE-0-2014-0472)

Vulnerability from cvelistv5 – Published: 2014-04-23 14:00 – Updated: 2024-08-06 09:20

Summary

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Severity ?

No CVSS data available.

CWE

Assigner

debian

References

URL

RHSA-2014:0457

Vulnerability from csaf_redhat - Published: 2014-04-30 19:01 - Updated: 2025-11-21 17:48

Summary

Red Hat Security Advisory: Django security update

Notes

Topic

Updated Django packages that fix three security issues are now available for Red Hat Enterprise Linux OpenStack Platform 3.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

The Django web framework is used by horizon, the OpenStack Dashboard, which is a web interface for managing OpenStack services. A flaw was found in the way Django's reverse() URL resolver function constructed certain URLs. A remote attacker able to request a specially crafted view from a Django application could use this flaw to import and execute arbitrary Python modules on the system under the privileges of the user running the application. (CVE-2014-0472) It was found that Django's caching framework reused Cross-Site Request Forgery (CSRF) nonces for all requests from unauthenticated clients. A remote attacker could use this flaw to acquire the CSRF token of a different user and bypass intended CSRF protections in a Django application. (CVE-2014-0473) It was discovered that certain Django model field classes did not properly perform type conversion on their arguments. A remote attacker could use this flaw to submit a specially crafted SQL query that, when processed by a Django application using a MySQL database, could have various application-specific impacts on the MySQL database. (CVE-2014-0474) Red Hat would like to thank the upstream Django project for reporting this issue. Upstream acknowledges Benjamin Bach as the original reporter of CVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and the Ruby on Rails team, and specifically Michael Koziarski, as the original reporters of CVE-2014-0474. All users of OpenStack Dashboard are advised to upgrade to these updated packages, which resolve these issues. After installing the updated packages, the httpd daemon must be restarted ("service httpd restart") for the update to take effect.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Django packages that fix three security issues are now available\nfor Red Hat Enterprise Linux OpenStack Platform 3.0.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django\u0027s reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django\u0027s caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0457",
        "url": "https://access.redhat.com/errata/RHSA-2014:0457"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1090588",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
      },
      {
        "category": "external",
        "summary": "1090592",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
      },
      {
        "category": "external",
        "summary": "1090593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0457.json"
      }
    ],
    "title": "Red Hat Security Advisory: Django security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:48:06+00:00",
      "generator": {
        "date": "2025-11-21T17:48:06+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2014:0457",
      "initial_release_date": "2014-04-30T19:01:19+00:00",
      "revision_history": [
        {
          "date": "2014-04-30T19:01:19+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-04-30T19:01:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:48:06+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
                  "product_id": "6Server-Grizzly",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:3::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14-doc@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.src",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.src",
                  "product_id": "Django14-0:1.4.11-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-Grizzly"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.src",
        "relates_to_product_reference": "6Server-Grizzly"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-doc-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-doc-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-Grizzly"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Benjamin Bach"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0472",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090588"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: unexpected code execution using reverse()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090588",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0472",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: unexpected code execution using reverse()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Paul McMillan"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0473",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090592"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: caching of anonymous pages could reveal CSRF token",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090592",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0473",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: caching of anonymous pages could reveal CSRF token"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2014-0474",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: MySQL typecasting",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0474",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: MySQL typecasting"
    }
  ]
}

RHSA-2014:0456

Vulnerability from csaf_redhat - Published: 2014-04-30 19:01 - Updated: 2025-11-21 17:48

Summary

Red Hat Security Advisory: Django security update

Notes

Topic

Updated Django packages that fix three security issues are now available for Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Django packages that fix three security issues are now available\nfor Red Hat Enterprise Linux OpenStack Platform 4.0.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django\u0027s reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django\u0027s caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0456",
        "url": "https://access.redhat.com/errata/RHSA-2014:0456"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1090588",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
      },
      {
        "category": "external",
        "summary": "1090592",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
      },
      {
        "category": "external",
        "summary": "1090593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0456.json"
      }
    ],
    "title": "Red Hat Security Advisory: Django security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:48:07+00:00",
      "generator": {
        "date": "2025-11-21T17:48:07+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2014:0456",
      "initial_release_date": "2014-04-30T19:01:28+00:00",
      "revision_history": [
        {
          "date": "2014-04-30T19:01:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-04-30T19:01:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:48:07+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                  "product_id": "6Server-RHOS-4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:4::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14-doc@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.src",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.src",
                  "product_id": "Django14-0:1.4.11-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.src",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-doc-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-doc-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Benjamin Bach"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0472",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090588"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: unexpected code execution using reverse()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090588",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0472",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: unexpected code execution using reverse()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Paul McMillan"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0473",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090592"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: caching of anonymous pages could reveal CSRF token",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090592",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0473",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: caching of anonymous pages could reveal CSRF token"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2014-0474",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: MySQL typecasting",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0474",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: MySQL typecasting"
    }
  ]
}

RHSA-2014_0456

Vulnerability from csaf_redhat - Published: 2014-04-30 19:01 - Updated: 2024-11-22 07:51

Summary

Red Hat Security Advisory: Django security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Django packages that fix three security issues are now available\nfor Red Hat Enterprise Linux OpenStack Platform 4.0.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django\u0027s reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django\u0027s caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0456",
        "url": "https://access.redhat.com/errata/RHSA-2014:0456"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1090588",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
      },
      {
        "category": "external",
        "summary": "1090592",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
      },
      {
        "category": "external",
        "summary": "1090593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0456.json"
      }
    ],
    "title": "Red Hat Security Advisory: Django security update",
    "tracking": {
      "current_release_date": "2024-11-22T07:51:36+00:00",
      "generator": {
        "date": "2024-11-22T07:51:36+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0456",
      "initial_release_date": "2014-04-30T19:01:28+00:00",
      "revision_history": [
        {
          "date": "2014-04-30T19:01:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-04-30T19:01:29+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:51:36+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                  "product_id": "6Server-RHOS-4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:4::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14-doc@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.src",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.src",
                  "product_id": "Django14-0:1.4.11-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.src",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-doc-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-doc-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Benjamin Bach"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0472",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090588"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: unexpected code execution using reverse()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090588",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0472",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: unexpected code execution using reverse()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Paul McMillan"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0473",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090592"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: caching of anonymous pages could reveal CSRF token",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090592",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0473",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: caching of anonymous pages could reveal CSRF token"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2014-0474",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: MySQL typecasting",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
          "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0474",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0456"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-RHOS-4.0:Django14-0:1.4.11-1.el6ost.src",
            "6Server-RHOS-4.0:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: MySQL typecasting"
    }
  ]
}

RHSA-2014_0457

Vulnerability from csaf_redhat - Published: 2014-04-30 19:01 - Updated: 2024-11-22 07:51

Summary

Red Hat Security Advisory: Django security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated Django packages that fix three security issues are now available\nfor Red Hat Enterprise Linux OpenStack Platform 3.0.\n\nThe Red Hat Security Response Team has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Django web framework is used by horizon, the OpenStack Dashboard, which\nis a web interface for managing OpenStack services.\n\nA flaw was found in the way Django\u0027s reverse() URL resolver function\nconstructed certain URLs. A remote attacker able to request a specially\ncrafted view from a Django application could use this flaw to import and\nexecute arbitrary Python modules on the system under the privileges of the\nuser running the application. (CVE-2014-0472)\n\nIt was found that Django\u0027s caching framework reused Cross-Site Request\nForgery (CSRF) nonces for all requests from unauthenticated clients.\nA remote attacker could use this flaw to acquire the CSRF token of a\ndifferent user and bypass intended CSRF protections in a Django\napplication. (CVE-2014-0473)\n\nIt was discovered that certain Django model field classes did not properly\nperform type conversion on their arguments. A remote attacker could use\nthis flaw to submit a specially crafted SQL query that, when processed by a\nDjango application using a MySQL database, could have various\napplication-specific impacts on the MySQL database. (CVE-2014-0474)\n\nRed Hat would like to thank the upstream Django project for reporting this\nissue. Upstream acknowledges Benjamin Bach as the original reporter of\nCVE-2014-0472, Paul McMillan as the original reporter of CVE-2014-0473, and\nthe Ruby on Rails team, and specifically Michael Koziarski, as the original\nreporters of CVE-2014-0474.\n\nAll users of OpenStack Dashboard are advised to upgrade to these updated\npackages, which resolve these issues. After installing the updated\npackages, the httpd daemon must be restarted (\"service httpd restart\") for\nthe update to take effect.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0457",
        "url": "https://access.redhat.com/errata/RHSA-2014:0457"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1090588",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
      },
      {
        "category": "external",
        "summary": "1090592",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
      },
      {
        "category": "external",
        "summary": "1090593",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0457.json"
      }
    ],
    "title": "Red Hat Security Advisory: Django security update",
    "tracking": {
      "current_release_date": "2024-11-22T07:51:41+00:00",
      "generator": {
        "date": "2024-11-22T07:51:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2014:0457",
      "initial_release_date": "2014-04-30T19:01:19+00:00",
      "revision_history": [
        {
          "date": "2014-04-30T19:01:19+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-04-30T19:01:19+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:51:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
                  "product_id": "6Server-Grizzly",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:3::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-doc-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14-doc@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.noarch",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_id": "Django14-0:1.4.11-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Django14-0:1.4.11-1.el6ost.src",
                "product": {
                  "name": "Django14-0:1.4.11-1.el6ost.src",
                  "product_id": "Django14-0:1.4.11-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/Django14@1.4.11-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-Grizzly"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-0:1.4.11-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src"
        },
        "product_reference": "Django14-0:1.4.11-1.el6ost.src",
        "relates_to_product_reference": "6Server-Grizzly"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Django14-doc-0:1.4.11-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
          "product_id": "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        },
        "product_reference": "Django14-doc-0:1.4.11-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-Grizzly"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Benjamin Bach"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0472",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090588"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: unexpected code execution using reverse()",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090588",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090588"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0472",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0472"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: unexpected code execution using reverse()"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        },
        {
          "names": [
            "Paul McMillan"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-0473",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090592"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: caching of anonymous pages could reveal CSRF token",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090592",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090592"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0473",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0473"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0473"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: caching of anonymous pages could reveal CSRF token"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "upstream Django project"
          ]
        }
      ],
      "cve": "CVE-2014-0474",
      "discovery_date": "2014-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1090593"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django: MySQL typecasting",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
          "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
          "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "RHBZ#1090593",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1090593"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0474",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0474"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0474"
        }
      ],
      "release_date": "2014-04-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-04-30T19:01:19+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0457"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.noarch",
            "6Server-Grizzly:Django14-0:1.4.11-1.el6ost.src",
            "6Server-Grizzly:Django14-doc-0:1.4.11-1.el6ost.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django: MySQL typecasting"
    }
  ]
}

PYSEC-2014-1

Vulnerability from pysec - Published: 2014-04-23 15:55 - Updated: 2021-07-05 00:01

Details

Impacted products

Name	purl
django	pkg:pypi/django

Aliases

CVE-2014-0472

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.11"
            },
            {
              "introduced": "1.5"
            },
            {
              "fixed": "1.5.6"
            },
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.2.4",
        "1.2.5",
        "1.2.6",
        "1.2.7",
        "1.3",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.3.5",
        "1.3.6",
        "1.3.7",
        "1.4",
        "1.4.1",
        "1.4.10",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.6",
        "1.6.1",
        "1.6.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0472"
  ],
  "details": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
  "id": "PYSEC-2014-1",
  "modified": "2021-07-05T00:01:18.476528Z",
  "published": "2014-04-23T15:55:00Z",
  "references": [
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2169-1"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/61281"
    }
  ]
}

FKIE_CVE-2014-0472

Vulnerability from fkie_nvd - Published: 2014-04-23 15:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
security@debian.org	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
security@debian.org	http://rhn.redhat.com/errata/RHSA-2014-0456.html
security@debian.org	http://rhn.redhat.com/errata/RHSA-2014-0457.html
security@debian.org	http://secunia.com/advisories/61281
security@debian.org	http://www.debian.org/security/2014/dsa-2934
security@debian.org	http://www.ubuntu.com/usn/USN-2169-1
security@debian.org	https://www.djangoproject.com/weblog/2014/apr/21/security/	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0456.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0457.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/61281
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2014/dsa-2934
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2169-1
af854a3a-2127-422b-91ae-364da2661108	https://www.djangoproject.com/weblog/2014/apr/21/security/	Vendor Advisory

Impacted products

Vendor	Product	Version
djangoproject	django	*
djangoproject	django	1.4
djangoproject	django	1.4.1
djangoproject	django	1.4.2
djangoproject	django	1.4.3
djangoproject	django	1.4.4
djangoproject	django	1.4.5
djangoproject	django	1.4.6
djangoproject	django	1.4.7
djangoproject	django	1.4.8
djangoproject	django	1.4.9
djangoproject	django	1.6
djangoproject	django	1.6.1
djangoproject	django	1.6.2
djangoproject	django	1.7
djangoproject	django	1.7
djangoproject	django	1.7
djangoproject	django	1.5
djangoproject	django	1.5.1
djangoproject	django	1.5.2
djangoproject	django	1.5.3
djangoproject	django	1.5.4
djangoproject	django	1.5.5
canonical	ubuntu_linux	10.04
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	12.10
canonical	ubuntu_linux	13.10
canonical	ubuntu_linux	14.04

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D817D6FC-F568-46C9-B49E-7CD7457756E4",
              "versionEndIncluding": "1.4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A79FF7F-8F92-4FEB-96CC-6B15D0CE920D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "13EF02D4-406C-4146-9B8F-FAC906E7B6E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC462CE5-1BE0-41E0-A28D-291350F021AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EDEF8A4-F929-49AB-A8CD-E40CCCDB638C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "4166ADA9-D5B4-47D6-BD93-C98841108275",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "080D43D0-C0FF-4F89-910C-D466943816C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "E04AE832-9059-42AB-AD39-D01E7A633615",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "693EEF6B-810B-4684-9AB5-1BDC95DFA4CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9EF4268-0DB7-4150-B8E7-53C6D7F02E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "C571F85F-9F49-48B6-9AD9-16CD81655F73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "5463AB51-6088-473A-BB54-BB78ACFC6DCA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CC369A0-0092-450D-91E9-13C7AF7EBC16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B6B7974-ABEF-4E0C-8503-6E9C22D28C78",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "14EC0E5B-2CEC-450A-B5A2-16BE4147DB55",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "EDD55056-2537-4E69-9D9D-2697501C0EF3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "BB1EF6D7-0AF4-4146-BA37-961F7048C1C0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCDB4B76-6541-4405-B74C-3EEAF84A04E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E2A29CC-A92B-4EC1-8225-408A5048C033",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "73317E26-AA3A-4437-9261-CE76BC1A0749",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6046CEB-6CF5-406F-BF6B-4D8C24DDA6FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A666B9E5-EA1B-4FA9-A685-61ECF26CB084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EB3FED4-C50A-4449-9A7B-552CFB02F860",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*",
              "matchCriteriaId": "7118F616-25CA-4E34-AA13-4D14BB62419F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
              "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F61F047-129C-41A6-8A27-FFCBB8563E91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\""
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n django.core.urlresolvers.reverse en Django anterior a  1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a 1.6.3 y 1.7.x anterior a 1.7 beta 2 permite a atacantes remotos importar y ejecutar m\u00f3dulos Python arbitrarios mediante el aprovechamiento de una visualizaci\u00f3n que construye URLs utilizando entradas de usuarios y una \"ruta Python con puntos.\""
    }
  ],
  "id": "CVE-2014-0472",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-04-23T15:55:02.923",
  "references": [
    {
      "source": "security@debian.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://secunia.com/advisories/61281"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.ubuntu.com/usn/USN-2169-1"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/61281"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2169-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-RVQ6-MRPV-M6RM

Vulnerability from github – Published: 2022-05-17 03:07 – Updated: 2025-04-13 23:27

Summary

Code Injection in Django

Details

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5"
            },
            {
              "fixed": "1.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-23T23:29:51Z",
    "nvd_published_at": "2014-04-23T15:55:00Z",
    "severity": "CRITICAL"
  },
  "details": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
  "id": "GHSA-rvq6-mrpv-m6rm",
  "modified": "2025-04-13T23:27:03Z",
  "published": "2022-05-17T03:07:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/2a5bcb69f42b84464b24b5c835dca6467b6aa7f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/4352a50871e239ebcdf64eee6f0b88e714015c1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/c1a8c420fe4b27fb2caf5e46d23b5712fc0ac535"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-1.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2014/apr/21/security"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2169-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Code Injection in Django"
}

GSD-2014-0472

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-0472

Aliases

CVE-2014-0472

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-0472",
    "description": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
    "id": "GSD-2014-0472",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-0472.html",
      "https://www.debian.org/security/2014/dsa-2934",
      "https://access.redhat.com/errata/RHSA-2014:0457",
      "https://access.redhat.com/errata/RHSA-2014:0456",
      "https://ubuntu.com/security/CVE-2014-0472",
      "https://advisories.mageia.org/CVE-2014-0472.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-0472"
      ],
      "details": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\"",
      "id": "GSD-2014-0472",
      "modified": "2023-12-13T01:22:44.898479Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@debian.org",
        "ID": "CVE-2014-0472",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "USN-2169-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2169-1"
          },
          {
            "name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
            "refsource": "CONFIRM",
            "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
          },
          {
            "name": "RHSA-2014:0457",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
          },
          {
            "name": "61281",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "RHSA-2014:0456",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.4,\u003c1.4.11||\u003e=1.5,\u003c1.5.6||\u003e=1.6,\u003c1.6.3",
          "affected_versions": "All versions starting from 1.4 before 1.4.11, all versions starting from 1.5 before 1.5.6, all versions starting from 1.6 before 1.6.3",
          "credit": "Benjamin Bach",
          "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2017-01-06",
          "description": "Django incorrectly handle dotted Python paths when using the `django.core.urlresolvers.reverse` function. An attacker can use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution.",
          "fixed_versions": [
            "1.4.11",
            "1.5.6",
            "1.6.3"
          ],
          "identifier": "CVE-2014-0472",
          "identifiers": [
            "CVE-2014-0472"
          ],
          "package_slug": "pypi/Django",
          "pubdate": "2014-04-23",
          "solution": "Upgrade to latest",
          "title": "Unexpected code execution using reverse()",
          "urls": [
            "https://www.djangoproject.com/weblog/2014/apr/21/security/"
          ],
          "uuid": "1f9b27c0-d25e-48f2-b035-4cc691b0967d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.4.10",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:alpha1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:alpha2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-0472"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a \"dotted Python path.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
            },
            {
              "name": "USN-2169-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2169-1"
            },
            {
              "name": "RHSA-2014:0457",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "RHSA-2014:0456",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/61281"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2017-01-07T02:59Z",
      "publishedDate": "2014-04-23T15:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-0472 (GCVE-0-2014-0472)

Tags

Sightings

Nomenclature