CVE-2007-0404
published 2007-01-23CVE-2007-0404: bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
1.56%
72.1th percentile
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 0.95.1-1 (bookworm) | python-django 0.95.1-1 (bookworm) |
| django_project | django | — | — |
| djangoproject | django | >= 0.95 < 1.0 | 1.0 |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Arbitrary Code Execution
osv·2022-05-01
CVE-2007-0404 [HIGH] Django Arbitrary Code Execution
Django Arbitrary Code Execution
`bin/compile-messages.py` in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
GHSA
Django Arbitrary Code Execution
ghsa·2022-05-01
CVE-2007-0404 [HIGH] Django Arbitrary Code Execution
Django Arbitrary Code Execution
`bin/compile-messages.py` in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
OSV
CVE-2007-0404: bin/compile-messages
osv·2007-01-23·CVSS 7.5
CVE-2007-0404 [HIGH] CVE-2007-0404: bin/compile-messages
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Debian
CVE-2007-0404: python-django - bin/compile-messages.py in Django 0.95 does not quote argument strings before in...
vendor_debian·2007·CVSS 7.5
CVE-2007-0404 [HIGH] CVE-2007-0404: python-django - bin/compile-messages.py in Django 0.95 does not quote argument strings before in...
bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.
Scope: local
bookworm: resolved (fixed in 0.95.1-1)
bullseye: resolved (fixed in 0.95.1-1)
forky: resolved (fixed in 0.95.1-1)
sid: resolved (fixed in 0.95.1-1)
trixie: resolved (fixed in 0.95.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://code.djangoproject.com/changeset/3592http://secunia.com/advisories/23826http://www.securityfocus.com/bid/22134https://exchange.xforce.ibmcloud.com/vulnerabilities/31627http://code.djangoproject.com/changeset/3592http://secunia.com/advisories/23826http://www.securityfocus.com/bid/22134https://exchange.xforce.ibmcloud.com/vulnerabilities/31627
2007-01-23
Published