GSD-2014-0474
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-0474",
"description": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
"id": "GSD-2014-0474",
"references": [
"https://www.suse.com/security/cve/CVE-2014-0474.html",
"https://www.debian.org/security/2014/dsa-2934",
"https://access.redhat.com/errata/RHSA-2014:0457",
"https://access.redhat.com/errata/RHSA-2014:0456",
"https://ubuntu.com/security/CVE-2014-0474",
"https://advisories.mageia.org/CVE-2014-0474.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-0474"
],
"details": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\"",
"id": "GSD-2014-0474",
"modified": "2023-12-13T01:22:44.332425Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0474",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-2169-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2169-1"
},
{
"name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
},
{
"name": "RHSA-2014:0457",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
},
{
"name": "61281",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61281"
},
{
"name": "DSA-2934",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2934"
},
{
"name": "openSUSE-SU-2014:1132",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
},
{
"name": "RHSA-2014:0456",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.4,\u003c1.4.11||\u003e=1.5,\u003c1.5.6||\u003e=1.6,\u003c1.6.3",
"affected_versions": "All versions starting from 1.4 before 1.4.11, all versions starting from 1.5 before 1.5.6, all versions starting from 1.6 before 1.6.3",
"credit": "Michael Koziarski",
"cvss_v2": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"cwe_ids": [
"CWE-1035",
"CWE-399",
"CWE-937"
],
"date": "2017-01-06",
"description": "When using a MySQL database, Django don\u0027t perform explicit conversion of the fields: * FilePathField * GenericIPAddressField * IPAddressField If a query is performed without first converting values to the appropriate type, this can produce unexpected results, similar to what would occur if the query itself had been manipulated. An attacker can possibly use this issue to obtain unexpected results. ",
"fixed_versions": [
"1.4.11",
"1.5.6",
"1.6.3"
],
"identifier": "CVE-2014-0474",
"identifiers": [
"CVE-2014-0474"
],
"package_slug": "pypi/Django",
"pubdate": "2014-04-23",
"solution": "Upgrade to latest",
"title": "MySQL typecasting",
"urls": [
"https://www.djangoproject.com/weblog/2014/apr/21/security/"
],
"uuid": "34132120-e91f-4c00-a38c-685691f28690"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.4.10",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:alpha1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:alpha2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0474"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to \"MySQL typecasting.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.djangoproject.com/weblog/2014/apr/21/security/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2014/apr/21/security/"
},
{
"name": "USN-2169-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2169-1"
},
{
"name": "RHSA-2014:0457",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0457.html"
},
{
"name": "DSA-2934",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2014/dsa-2934"
},
{
"name": "RHSA-2014:0456",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0456.html"
},
{
"name": "openSUSE-SU-2014:1132",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
},
{
"name": "61281",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/61281"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-01-07T02:59Z",
"publishedDate": "2014-04-23T15:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…