Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2016-7401 (GCVE-0-2016-7401)
Vulnerability from cvelistv5 – Published: 2016-10-03 18:00 – Updated: 2024-08-06 01:57
VLAI
EPSS
Summary
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
11 references
| URL | Tags |
|---|---|
| http://www.debian.org/security/2016/dsa-3678 | vendor-advisoryx_refsource_DEBIAN |
| http://rhn.redhat.com/errata/RHSA-2016-2040.html | vendor-advisoryx_refsource_REDHAT |
| http://rhn.redhat.com/errata/RHSA-2016-2043.html | vendor-advisoryx_refsource_REDHAT |
| http://www.securitytracker.com/id/1036899 | vdb-entryx_refsource_SECTRACK |
| http://rhn.redhat.com/errata/RHSA-2016-2041.html | vendor-advisoryx_refsource_REDHAT |
| https://www.djangoproject.com/weblog/2016/sep/26/… | x_refsource_CONFIRM |
| http://rhn.redhat.com/errata/RHSA-2016-2042.html | vendor-advisoryx_refsource_REDHAT |
| http://www.ubuntu.com/usn/USN-3089-1 | vendor-advisoryx_refsource_UBUNTU |
| http://www.securityfocus.com/bid/93182 | vdb-entryx_refsource_BID |
| http://rhn.redhat.com/errata/RHSA-2016-2038.html | vendor-advisoryx_refsource_REDHAT |
| http://rhn.redhat.com/errata/RHSA-2016-2039.html | vendor-advisoryx_refsource_REDHAT |
Date Public
2016-09-26 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:57:47.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3678",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3678"
},
{
"name": "RHSA-2016:2040",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
},
{
"name": "RHSA-2016:2043",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
},
{
"name": "1036899",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036899"
},
{
"name": "RHSA-2016:2041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
},
{
"name": "RHSA-2016:2042",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
},
{
"name": "USN-3089-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3089-1"
},
{
"name": "93182",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93182"
},
{
"name": "RHSA-2016:2038",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
},
{
"name": "RHSA-2016:2039",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3678",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3678"
},
{
"name": "RHSA-2016:2040",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
},
{
"name": "RHSA-2016:2043",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
},
{
"name": "1036899",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036899"
},
{
"name": "RHSA-2016:2041",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
},
{
"name": "RHSA-2016:2042",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
},
{
"name": "USN-3089-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3089-1"
},
{
"name": "93182",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93182"
},
{
"name": "RHSA-2016:2038",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
},
{
"name": "RHSA-2016:2039",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-7401",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3678",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3678"
},
{
"name": "RHSA-2016:2040",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2040.html"
},
{
"name": "RHSA-2016:2043",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2043.html"
},
{
"name": "1036899",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036899"
},
{
"name": "RHSA-2016:2041",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2041.html"
},
{
"name": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2016/sep/26/security-releases/"
},
{
"name": "RHSA-2016:2042",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2042.html"
},
{
"name": "USN-3089-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3089-1"
},
{
"name": "93182",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93182"
},
{
"name": "RHSA-2016:2038",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2038.html"
},
{
"name": "RHSA-2016:2039",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2039.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-7401",
"datePublished": "2016-10-03T18:00:00.000Z",
"dateReserved": "2016-09-09T00:00:00.000Z",
"dateUpdated": "2024-08-06T01:57:47.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2016-7401",
"date": "2026-05-26",
"epss": "0.04799",
"percentile": "0.89608"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B5A6F2F3-4894-4392-8296-3B8DD2679084\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.8.14\", \"matchCriteriaId\": \"66FE8806-7FCB-4CFD-9EAF-05F2ED9F6B9B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E4BDA562-AB2E-457C-8DA5-32AB90CB5E3C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6B754401-8503-4553-853F-4F6BCD2D2FF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"019C26C7-EF1F-45BB-934E-521E2E64452E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A18691A7-E4D0-48A4-81A7-89846E991AF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C06EBD9-381E-4018-BFDC-E23EA18097B0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7D134048-B64F-45AE-B4A2-26E516CCF37B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0F39B83A-C10B-4B88-9491-2FB8B07D6EA5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"64A4030E-F51F-4944-BCE7-E27CD32EC7D4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CCC1F046-DAF7-4734-9F80-A3C57857AF18\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"61EE8536-0E8D-477A-B8EA-817CE21D516A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.\"}, {\"lang\": \"es\", \"value\": \"El c\\u00f3digo de an\\u00e1lisis de cookie en Django en versiones anteriores a 1.8.15 y 1.9.x en versiones anteriores a 1.9.10, cuando se utiliza en un sitio con Google Analytics, permite a atacantes remotos eludir un mecanismo de protecci\\u00f3n CSRF destinado estableciendo cookies arbitrarias.\"}]",
"id": "CVE-2016-7401",
"lastModified": "2024-11-21T02:57:55.553",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2016-10-03T18:59:13.137",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2038.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2039.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2040.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2041.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2042.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2043.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3678\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/93182\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1036899\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-3089-1\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2016/sep/26/security-releases/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2038.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2039.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2040.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2041.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2042.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2043.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.debian.org/security/2016/dsa-3678\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/93182\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1036899\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.ubuntu.com/usn/USN-3089-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.djangoproject.com/weblog/2016/sep/26/security-releases/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-254\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2016-7401\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-10-03T18:59:13.137\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.\"},{\"lang\":\"es\",\"value\":\"El c\u00f3digo de an\u00e1lisis de cookie en Django en versiones anteriores a 1.8.15 y 1.9.x en versiones anteriores a 1.9.10, cuando se utiliza en un sitio con Google Analytics, permite a atacantes remotos eludir un mecanismo de protecci\u00f3n CSRF destinado estableciendo cookies arbitrarias.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-254\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B5A6F2F3-4894-4392-8296-3B8DD2679084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.8.14\",\"matchCriteriaId\":\"66FE8806-7FCB-4CFD-9EAF-05F2ED9F6B9B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4BDA562-AB2E-457C-8DA5-32AB90CB5E3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B754401-8503-4553-853F-4F6BCD2D2FF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"019C26C7-EF1F-45BB-934E-521E2E64452E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A18691A7-E4D0-48A4-81A7-89846E991AF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C06EBD9-381E-4018-BFDC-E23EA18097B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D134048-B64F-45AE-B4A2-26E516CCF37B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F39B83A-C10B-4B88-9491-2FB8B07D6EA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64A4030E-F51F-4944-BCE7-E27CD32EC7D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CCC1F046-DAF7-4734-9F80-A3C57857AF18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"61EE8536-0E8D-477A-B8EA-817CE21D516A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2038.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2039.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2040.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2041.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2042.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2043.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3678\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/93182\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1036899\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-3089-1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2016/sep/26/security-releases/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2038.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2039.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2040.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2042.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3678\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/93182\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1036899\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.ubuntu.com/usn/USN-3089-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.djangoproject.com/weblog/2016/sep/26/security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
RHSA-2016:2043
Vulnerability from csaf_redhat - Published: 2016-10-10 05:56 - Updated: 2025-11-21 17:57Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat OpenStack Platform 9.0 (Mitaka).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
The following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378622)
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat OpenStack Platform 9.0 (Mitaka).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nThe following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378622)\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2043",
"url": "https://access.redhat.com/errata/RHSA-2016:2043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2043.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-11-21T17:57:45+00:00",
"generator": {
"date": "2025-11-21T17:57:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2016:2043",
"initial_release_date": "2016-10-10T05:56:35+00:00",
"revision_history": [
{
"date": "2016-10-10T05:56:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T05:56:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:57:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 9.0",
"product": {
"name": "Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.15-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.src",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.src",
"product_id": "python-django-0:1.8.15-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.src as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T05:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2043"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2038
Vulnerability from csaf_redhat - Published: 2016-10-10 05:56 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el6ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-6.el6ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2038",
"url": "https://access.redhat.com/errata/RHSA-2016:2038"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2038.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:34+00:00",
"generator": {
"date": "2024-11-14T20:48:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2038",
"initial_release_date": "2016-10-10T05:56:53+00:00",
"revision_history": [
{
"date": "2016-10-10T05:56:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T05:56:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-6.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el6ost.noarch",
"product": {
"name": "python-django-0:1.6.11-6.el6ost.noarch",
"product_id": "python-django-0:1.6.11-6.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-6.el6ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-6.el6ost.noarch",
"product_id": "python-django-doc-0:1.6.11-6.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-6.el6ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el6ost.src",
"product": {
"name": "python-django-0:1.6.11-6.el6ost.src",
"product_id": "python-django-0:1.6.11-6.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el6ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.noarch"
},
"product_reference": "python-django-0:1.6.11-6.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.src"
},
"product_reference": "python-django-0:1.6.11-6.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-6.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el6ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-6.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-6.el6ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-6.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-6.el6ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T05:56:53+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-6.el6ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2038"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-6.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-6.el6ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2039
Vulnerability from csaf_redhat - Published: 2016-10-10 05:56 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2039",
"url": "https://access.redhat.com/errata/RHSA-2016:2039"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2039.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:38+00:00",
"generator": {
"date": "2024-11-14T20:48:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2039",
"initial_release_date": "2016-10-10T05:56:47+00:00",
"revision_history": [
{
"date": "2016-10-10T05:56:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T05:56:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el7ost.src",
"product": {
"name": "python-django-0:1.6.11-6.el7ost.src",
"product_id": "python-django-0:1.6.11-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-6.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.src"
},
"product_reference": "python-django-0:1.6.11-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T05:56:47+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2039"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2040
Vulnerability from csaf_redhat - Published: 2016-10-10 06:10 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-6.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2040",
"url": "https://access.redhat.com/errata/RHSA-2016:2040"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2040.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:43+00:00",
"generator": {
"date": "2024-11-14T20:48:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2040",
"initial_release_date": "2016-10-10T06:10:49+00:00",
"revision_history": [
{
"date": "2016-10-10T06:10:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T06:10:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el7ost.src",
"product": {
"name": "python-django-0:1.6.11-6.el7ost.src",
"product_id": "python-django-0:1.6.11-6.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-6.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-6.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-6.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-6.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.src"
},
"product_reference": "python-django-0:1.6.11-6.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-6.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-6.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T06:10:49+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2040"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-6.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-6.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-6.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2041
Vulnerability from csaf_redhat - Published: 2016-10-10 06:10 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
The following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378620)
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nThe following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378620)\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2041",
"url": "https://access.redhat.com/errata/RHSA-2016:2041"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2041.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:47+00:00",
"generator": {
"date": "2024-11-14T20:48:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2041",
"initial_release_date": "2016-10-10T06:10:44+00:00",
"revision_history": [
{
"date": "2016-10-10T06:10:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T06:10:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-doc-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-doc-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.8.15-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.15-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.src",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.src",
"product_id": "python-django-0:1.8.15-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.src"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.8.15-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.15-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T06:10:44+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.15-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2041"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.15-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2042
Vulnerability from csaf_redhat - Published: 2016-10-10 05:56 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat OpenStack Platform 8.0 (Liberty).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
The following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378621)
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat OpenStack Platform 8.0 (Liberty).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nThe following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378621)\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2042",
"url": "https://access.redhat.com/errata/RHSA-2016:2042"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2042.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:51+00:00",
"generator": {
"date": "2024-11-14T20:48:51+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2042",
"initial_release_date": "2016-10-10T05:56:41+00:00",
"revision_history": [
{
"date": "2016-10-10T05:56:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T05:56:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:51+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 8.0 (Liberty)",
"product": {
"name": "Red Hat OpenStack Platform 8.0 (Liberty)",
"product_id": "7Server-RH7-RHOS-8.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.15-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.src",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.src",
"product_id": "python-django-0:1.8.15-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
"product_id": "7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.src as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
"product_id": "7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.src"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 8.0 (Liberty)",
"product_id": "7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-8.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T05:56:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2042"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-8.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-8.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
RHSA-2016_2043
Vulnerability from csaf_redhat - Published: 2016-10-10 05:56 - Updated: 2024-11-14 20:48Summary
Red Hat Security Advisory: python-django security update
Severity
Moderate
Notes
Topic: An update for python-django is now available for Red Hat OpenStack Platform 9.0 (Mitaka).
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
The following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378622)
Security Fix(es):
* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''. (CVE-2016-7401)
Red Hat would like to thank the upstream Django project for reporting this issue.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavior and to mitigate this attack. ''request.COOKIES'' may now contain cookies that are invalid according to RFC 6265 but are possible to set using ''document.cookie''.
6.1 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
8 references
Acknowledgments
the upstream Django project
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat OpenStack Platform 9.0 (Mitaka).\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nThe following packages have been upgraded to a newer upstream version: python-django (1.8.15). (BZ#1378622)\n\nSecurity Fix(es):\n\n* A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027. (CVE-2016-7401)\n\nRed Hat would like to thank the upstream Django project for reporting this issue.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2043",
"url": "https://access.redhat.com/errata/RHSA-2016:2043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2043.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2024-11-14T20:48:55+00:00",
"generator": {
"date": "2024-11-14T20:48:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2043",
"initial_release_date": "2016-10-10T05:56:35+00:00",
"revision_history": [
{
"date": "2016-10-10T05:56:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-10T05:56:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:48:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 9.0",
"product": {
"name": "Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.15-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.15-1.el7ost.src",
"product": {
"name": "python-django-0:1.8.15-1.el7ost.src",
"product_id": "python-django-0:1.8.15-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.15-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.15-1.el7ost.src as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src"
},
"product_reference": "python-django-0:1.8.15-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch as a component of Red Hat OpenStack Platform 9.0",
"product_id": "7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.8.15-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-9.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the upstream Django project"
]
}
],
"cve": "CVE-2016-7401",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2016-09-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1377376"
}
],
"notes": [
{
"category": "description",
"text": "A CSRF flaw was found in Django, where an interaction between Google Analytics and Django\u0027s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for \u0027\u0027request.COOKIES\u0027\u0027 has been simplified to better match browser behavior and to mitigate this attack. \u0027\u0027request.COOKIES\u0027\u0027 may now contain cookies that are invalid according to RFC 6265 but are possible to set using \u0027\u0027document.cookie\u0027\u0027.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: CSRF protection bypass on a site with Google Analytics",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue did not affect the versions of calamari-server as shipped with Red Hat Ceph Storage 1.3 and 2.0 as they did not include support for google analytics with Django.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "RHBZ#1377376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1377376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-7401",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-7401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7401"
}
],
"release_date": "2016-09-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-10T05:56:35+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2043"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.noarch",
"7Server-RH7-RHOS-9.0:python-django-0:1.8.15-1.el7ost.src",
"7Server-RH7-RHOS-9.0:python-django-bash-completion-0:1.8.15-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: CSRF protection bypass on a site with Google Analytics"
}
]
}
SUSE-SU-2018:0973-1
Vulnerability from csaf_suse - Published: 2018-04-18 06:31 - Updated: 2018-04-18 06:31Summary
Security update for python-Django
Severity
Moderate
Notes
Title of the patch: Security update for python-Django
Description of the patch: This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)
Patchnames: SUSE-OpenStack-Cloud-7-2018-655
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
8.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
36 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)\n- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)\n- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)\n- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)\n- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)\n- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)\n- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)\n- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-655",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_0973-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:0973-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20180973-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:0973-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html"
},
{
"category": "self",
"summary": "SUSE Bug 1001374",
"url": "https://bugzilla.suse.com/1001374"
},
{
"category": "self",
"summary": "SUSE Bug 1008047",
"url": "https://bugzilla.suse.com/1008047"
},
{
"category": "self",
"summary": "SUSE Bug 1008050",
"url": "https://bugzilla.suse.com/1008050"
},
{
"category": "self",
"summary": "SUSE Bug 1031450",
"url": "https://bugzilla.suse.com/1031450"
},
{
"category": "self",
"summary": "SUSE Bug 1031451",
"url": "https://bugzilla.suse.com/1031451"
},
{
"category": "self",
"summary": "SUSE Bug 1056284",
"url": "https://bugzilla.suse.com/1056284"
},
{
"category": "self",
"summary": "SUSE Bug 1083304",
"url": "https://bugzilla.suse.com/1083304"
},
{
"category": "self",
"summary": "SUSE Bug 1083305",
"url": "https://bugzilla.suse.com/1083305"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-7401 page",
"url": "https://www.suse.com/security/cve/CVE-2016-7401/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9013 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9013/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9014 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9014/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12794 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12794/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7233 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7233/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7234 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2018-04-18T06:31:23Z",
"generator": {
"date": "2018-04-18T06:31:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:0973-1",
"initial_release_date": "2018-04-18T06:31:23Z",
"revision_history": [
{
"date": "2018-04-18T06:31:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Django-1.8.19-3.4.1.noarch",
"product": {
"name": "python-Django-1.8.19-3.4.1.noarch",
"product_id": "python-Django-1.8.19-3.4.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Django-1.8.19-3.4.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
},
"product_reference": "python-Django-1.8.19-3.4.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-7401",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-7401"
}
],
"notes": [
{
"category": "general",
"text": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-7401",
"url": "https://www.suse.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "SUSE Bug 1001374 for CVE-2016-7401",
"url": "https://bugzilla.suse.com/1001374"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "moderate"
}
],
"title": "CVE-2016-7401"
},
{
"cve": "CVE-2016-9013",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9013"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9013",
"url": "https://www.suse.com/security/cve/CVE-2016-9013"
},
{
"category": "external",
"summary": "SUSE Bug 1008050 for CVE-2016-9013",
"url": "https://bugzilla.suse.com/1008050"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "low"
}
],
"title": "CVE-2016-9013"
},
{
"cve": "CVE-2016-9014",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9014"
}
],
"notes": [
{
"category": "general",
"text": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9014",
"url": "https://www.suse.com/security/cve/CVE-2016-9014"
},
{
"category": "external",
"summary": "SUSE Bug 1008047 for CVE-2016-9014",
"url": "https://bugzilla.suse.com/1008047"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "low"
}
],
"title": "CVE-2016-9014"
},
{
"cve": "CVE-2017-12794",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12794"
}
],
"notes": [
{
"category": "general",
"text": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12794",
"url": "https://www.suse.com/security/cve/CVE-2017-12794"
},
{
"category": "external",
"summary": "SUSE Bug 1056284 for CVE-2017-12794",
"url": "https://bugzilla.suse.com/1056284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "moderate"
}
],
"title": "CVE-2017-12794"
},
{
"cve": "CVE-2017-7233",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7233"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7233",
"url": "https://www.suse.com/security/cve/CVE-2017-7233"
},
{
"category": "external",
"summary": "SUSE Bug 1031450 for CVE-2017-7233",
"url": "https://bugzilla.suse.com/1031450"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "low"
}
],
"title": "CVE-2017-7233"
},
{
"cve": "CVE-2017-7234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7234"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7234",
"url": "https://www.suse.com/security/cve/CVE-2017-7234"
},
{
"category": "external",
"summary": "SUSE Bug 1031451 for CVE-2017-7234",
"url": "https://bugzilla.suse.com/1031451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "low"
}
],
"title": "CVE-2017-7234"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-18T06:31:23Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
}
]
}
SUSE-SU-2018:1102-1
Vulnerability from csaf_suse - Published: 2018-04-27 13:24 - Updated: 2018-04-27 13:24Summary
Security update for python-Django
Severity
Moderate
Notes
Title of the patch: Security update for python-Django
Description of the patch: This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)
- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary
web site and conduct phishing attacks. (bsc#bnc#967999)
Patchnames: SUSE-OpenStack-Cloud-6-2018-750
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.4 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
9.8 (Critical)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
8.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
40 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)\n- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)\n- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)\n- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)\n- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)\n- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)\n- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)\n- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)\n- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary \n web site and conduct phishing attacks. (bsc#bnc#967999)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-6-2018-750",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1102-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1102-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181102-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1102-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html"
},
{
"category": "self",
"summary": "SUSE Bug 1001374",
"url": "https://bugzilla.suse.com/1001374"
},
{
"category": "self",
"summary": "SUSE Bug 1008047",
"url": "https://bugzilla.suse.com/1008047"
},
{
"category": "self",
"summary": "SUSE Bug 1008050",
"url": "https://bugzilla.suse.com/1008050"
},
{
"category": "self",
"summary": "SUSE Bug 1031450",
"url": "https://bugzilla.suse.com/1031450"
},
{
"category": "self",
"summary": "SUSE Bug 1031451",
"url": "https://bugzilla.suse.com/1031451"
},
{
"category": "self",
"summary": "SUSE Bug 1056284",
"url": "https://bugzilla.suse.com/1056284"
},
{
"category": "self",
"summary": "SUSE Bug 1083304",
"url": "https://bugzilla.suse.com/1083304"
},
{
"category": "self",
"summary": "SUSE Bug 1083305",
"url": "https://bugzilla.suse.com/1083305"
},
{
"category": "self",
"summary": "SUSE Bug 967999",
"url": "https://bugzilla.suse.com/967999"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2512 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-7401 page",
"url": "https://www.suse.com/security/cve/CVE-2016-7401/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9013 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9013/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9014 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9014/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12794 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12794/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7233 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7233/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7234 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2018-04-27T13:24:32Z",
"generator": {
"date": "2018-04-27T13:24:32Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1102-1",
"initial_release_date": "2018-04-27T13:24:32Z",
"revision_history": [
{
"date": "2018-04-27T13:24:32Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Django-1.8.19-3.6.1.noarch",
"product": {
"name": "python-Django-1.8.19-3.6.1.noarch",
"product_id": "python-Django-1.8.19-3.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 6",
"product": {
"name": "SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Django-1.8.19-3.6.1.noarch as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
},
"product_reference": "python-Django-1.8.19-3.6.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2512"
}
],
"notes": [
{
"category": "general",
"text": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2512",
"url": "https://www.suse.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "SUSE Bug 967999 for CVE-2016-2512",
"url": "https://bugzilla.suse.com/967999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "important"
}
],
"title": "CVE-2016-2512"
},
{
"cve": "CVE-2016-7401",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-7401"
}
],
"notes": [
{
"category": "general",
"text": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-7401",
"url": "https://www.suse.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "SUSE Bug 1001374 for CVE-2016-7401",
"url": "https://bugzilla.suse.com/1001374"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2016-7401"
},
{
"cve": "CVE-2016-9013",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9013"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9013",
"url": "https://www.suse.com/security/cve/CVE-2016-9013"
},
{
"category": "external",
"summary": "SUSE Bug 1008050 for CVE-2016-9013",
"url": "https://bugzilla.suse.com/1008050"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2016-9013"
},
{
"cve": "CVE-2016-9014",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9014"
}
],
"notes": [
{
"category": "general",
"text": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9014",
"url": "https://www.suse.com/security/cve/CVE-2016-9014"
},
{
"category": "external",
"summary": "SUSE Bug 1008047 for CVE-2016-9014",
"url": "https://bugzilla.suse.com/1008047"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2016-9014"
},
{
"cve": "CVE-2017-12794",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12794"
}
],
"notes": [
{
"category": "general",
"text": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12794",
"url": "https://www.suse.com/security/cve/CVE-2017-12794"
},
{
"category": "external",
"summary": "SUSE Bug 1056284 for CVE-2017-12794",
"url": "https://bugzilla.suse.com/1056284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2017-12794"
},
{
"cve": "CVE-2017-7233",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7233"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7233",
"url": "https://www.suse.com/security/cve/CVE-2017-7233"
},
{
"category": "external",
"summary": "SUSE Bug 1031450 for CVE-2017-7233",
"url": "https://bugzilla.suse.com/1031450"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2017-7233"
},
{
"cve": "CVE-2017-7234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7234"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7234",
"url": "https://www.suse.com/security/cve/CVE-2017-7234"
},
{
"category": "external",
"summary": "SUSE Bug 1031451 for CVE-2017-7234",
"url": "https://bugzilla.suse.com/1031451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2017-7234"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…