CVE-2007-0404 — Django vulnerability

6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Django Project Django

Timeline

PublishedJan 23

Latest updateMay 1

Description

bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶PyPIdjangoproject/django0.95 — 1.0

▶NVDdjango_project/django0.95

Patches

Patch: secunia.com ↗Patch: secunia.com ↗

🔴Vulnerability Details

OSV

Django Arbitrary Code Execution↗2022-05-01

▶

GHSA

Django Arbitrary Code Execution↗2022-05-01

▶

CVEList

CVE-2007-0404: bin/compile-messages↗2007-01-23

▶

OSV

CVE-2007-0404: bin/compile-messages↗2007-01-23

▶

📋Vendor Advisories

Debian

CVE-2007-0404: python-django - bin/compile-messages.py in Django 0.95 does not quote argument strings before in...↗2007

▶