CVE-2013-0305
published 2013-05-02CVE-2013-0305: The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history…
PriorityP416medium4CVSS 2.0
AVNACLAuSCPINAN
EPSS
1.80%
75.9th percentile
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1.4.4-1 (bookworm) | python-django 1.4.4-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.3 < 1.3.6 | 1.3.6 |
| djangoproject | django | >= 1.4 < 1.4.4 | 1.4.4 |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.0MEDIUM
vendor_ubuntu6.4MEDIUM
vendor_debian4.0MEDIUM
vendor_redhat4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Data leakage via admin history log
osv·2022-05-05
CVE-2013-0305 [MEDIUM] Django Data leakage via admin history log
Django Data leakage via admin history log
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
GHSA
Django Data leakage via admin history log
ghsa·2022-05-05
CVE-2013-0305 [MEDIUM] CWE-200 Django Data leakage via admin history log
Django Data leakage via admin history log
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
OSV
CVE-2013-0305: The administrative interface for Django 1
osv·2013-05-02·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305: The administrative interface for Django 1
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2013-03-07·CVSS 6.4
CVE-2012-4520 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
James Kettle discovered that Django did not properly filter the Host HTTP
header when processing certain requests. An attacker could exploit this to
generate and display arbitrary URLs to users. Although this issue had been
previously addressed in USN-1632-1, this update adds additional hardening
measures to host header validation. This update also adds a new
ALLOWED_HOSTS setting that can be set to a list of acceptable values for
headers. (CVE-2012-4520)
Orange Tsai discovered that Django incorrectly performed permission checks
when displaying the history view in the admin interface. An administrator
could use this flaw to view the history of any object, regardless of
intended permissions. (CVE-2013-03
Red Hat
Django: Data leakage via admin history log
vendor_redhat·2013-02-19·CVSS 4.0
CVE-2013-0305 [MEDIUM] Django: Data leakage via admin history log
Django: Data leakage via admin history log
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
Package: Django (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2013-0305: python-django - The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, ...
vendor_debian·2013·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305: python-django - The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, ...
The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.
Scope: local
bookworm: resolved (fixed in 1.4.4-1)
bullseye: resolved (fixed in 1.4.4-1)
forky: resolved (fixed in 1.4.4-1)
sid: resolved (fixed in 1.4.4-1)
trixie: resolved (fixed in 1.4.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracking bug for Django: see blocks
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
CVE-2013-0305 CVE-2013-0306 Django14 various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Django14: see bl
Bugzilla
CVE-2013-0305 Django: Data leakage via admin history log
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 Django: Data leakage via admin history log
CVE-2013-0305 Django: Data leakage via admin history log
James Bennett of Django reports:
Django's bundled administrative interface keeps a log of actions taken, preserving the history of any object which is exposed through the admin interface. This history view does not perform any permission checks beyond confirming that the user has access to the administrative interface; as such, any user with admin access can view the history of any object accessible in the admin interface, and see summaries of each change made to an object.
To remedy this, the admin history view for an object will now perform the same permission checks as other admin views for the same object.
External reference:
https://www.djangoproject.com/weblog/2013/feb/19/security/
Discussion:
Created Django tracking bugs
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
CVE-2013-0305 CVE-2013-0306 Django various flaws [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
fedora-17 tracking bug for Django: see block
Bugzilla
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
bugzilla·2013-02-20·CVSS 4.0
CVE-2013-0305 [MEDIUM] CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
CVE-2013-0305 CVE-2013-0306 Django various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Django: see blocks
http://rhn.redhat.com/errata/RHSA-2013-0670.htmlhttp://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634https://www.djangoproject.com/weblog/2013/feb/19/security/http://rhn.redhat.com/errata/RHSA-2013-0670.htmlhttp://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634https://www.djangoproject.com/weblog/2013/feb/19/security/
2013-05-02
Published