CVE-2014-0472 — Code Injection in Django

CWE-94 — Code Injection12 documents8 sources

Severity

5.1MEDIUMNVD

EPSS

6.9%

top 8.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django Canonical Ubuntu Linux

Timeline

PublishedApr 23

Latest updateMay 17

Description

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

▶PyPIdjangoproject/django1.5 — 1.5.6+2

▶NVDdjangoproject/django1.4.10+20

Also affects: Ubuntu Linux 10.04, 12.04, 12.10, 13.10, 14.04

🔴Vulnerability Details

GHSA

Code Injection in Django↗2022-05-17

▶

OSV

Code Injection in Django↗2022-05-17

▶

CVEList

CVE-2014-0472: The django↗2014-04-23

▶

OSV

python-django regression↗2014-04-23

▶

OSV

CVE-2014-0472: The django↗2014-04-23

▶

📋Vendor Advisories

Ubuntu

Django regression↗2014-04-23

▶

Ubuntu

Django vulnerabilities↗2014-04-22

▶

Red Hat

python-django: unexpected code execution using reverse()↗2014-04-21

▶

Debian

CVE-2014-0472: python-django - The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x bef...↗2014

▶

💬Community

Bugzilla

CVE-2014-0472 python-django: unexpected code execution using reverse()↗2014-04-23

▶