CVE-2014-0474
published 2014-04-23CVE-2014-0474: The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3…
PriorityP344critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
4.75%
90.8th percentile
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1.6.3-1 (bookworm) | python-django 1.6.3-1 (bookworm) |
| djangoproject | django | <= 1.4.10 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django regression
vendor_ubuntu·2014-04-23·CVSS 5.1
CVE-2014-0472 [MEDIUM] Django regression
Title: Django regression
Summary: USN-2169-1 introduced a regression in Django.
USN-2169-1 fixed vulnerabilities in Django. The upstream security patch
for CVE-2014-0472 introduced a regression for certain applications. This
update fixes the problem.
Original advisory details:
Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue
to cause Django to import arbitrary modules from the Python path, resulting
in possible code execution. (CVE-2014-0472)
Paul McMillan discovered that Django incorrectly cached certain pages that
contained CSRF cookies. An attacker could possibly use this flaw to obtain
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)
Michael Koziar
Ubuntu
Django vulnerabilities
vendor_ubuntu·2014-04-22·CVSS 5.1
CVE-2014-0472 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue
to cause Django to import arbitrary modules from the Python path, resulting
in possible code execution. (CVE-2014-0472)
Paul McMillan discovered that Django incorrectly cached certain pages that
contained CSRF cookies. An attacker could possibly use this flaw to obtain
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)
Michael Koziarski discovered that Django did not always perform explicit
conversion of certain fields when using a MySQL database. An attacker
could possibly use this issue to obtain unexpected results. (CVE-2
Red Hat
python-django: MySQL typecasting
vendor_redhat·2014-04-21·CVSS 10.0
CVE-2014-0474 [CRITICAL] python-django: MySQL typecasting
python-django: MySQL typecasting
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Package: Django (Red Hat Subscription Asset Manager) - Will not fix
Debian
CVE-2014-0474: python-django - The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model f...
vendor_debian·2014·CVSS 10.0
CVE-2014-0474 [CRITICAL] CVE-2014-0474: python-django - The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model f...
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Scope: local
bookworm: resolved (fixed in 1.6.3-1)
bullseye: resolved (fixed in 1.6.3-1)
forky: resolved (fixed in 1.6.3-1)
sid: resolved (fixed in 1.6.3-1)
trixie: resolved (fixed in 1.6.3-1)
OSV
Django Vulnerable to MySQL Injection
osv·2022-05-17
CVE-2014-0474 [HIGH] Django Vulnerable to MySQL Injection
Django Vulnerable to MySQL Injection
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
GHSA
Django Vulnerable to MySQL Injection
ghsa·2022-05-17
CVE-2014-0474 [HIGH] CWE-89 Django Vulnerable to MySQL Injection
Django Vulnerable to MySQL Injection
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
OSV
CVE-2014-0474: The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1
osv·2014-04-23·CVSS 10.0
CVE-2014-0474 [CRITICAL] CVE-2014-0474: The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
OSV
python-django regression
osv·2014-04-23·CVSS 5.1
CVE-2014-0472 [MEDIUM] python-django regression
python-django regression
USN-2169-1 fixed vulnerabilities in Django. The upstream security patch
for CVE-2014-0472 introduced a regression for certain applications. This
update fixes the problem.
Original advisory details:
Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue
to cause Django to import arbitrary modules from the Python path, resulting
in possible code execution. (CVE-2014-0472)
Paul McMillan discovered that Django incorrectly cached certain pages that
contained CSRF cookies. An attacker could possibly use this flaw to obtain
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)
Michael Koziarski discovered that Django did not always perform explic
OSV
python-django vulnerabilities
osv·2014-04-22·CVSS 5.1
CVE-2014-0472 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Benjamin Bach discovered that Django incorrectly handled dotted Python
paths when using the reverse() function. An attacker could use this issue
to cause Django to import arbitrary modules from the Python path, resulting
in possible code execution. (CVE-2014-0472)
Paul McMillan discovered that Django incorrectly cached certain pages that
contained CSRF cookies. An attacker could possibly use this flaw to obtain
a valid cookie and perform attacks which bypass the CSRF restrictions.
(CVE-2014-0473)
Michael Koziarski discovered that Django did not always perform explicit
conversion of certain fields when using a MySQL database. An attacker
could possibly use this issue to obtain unexpected results. (CVE-2014-0474)
No detection rules found.
No public exploits indexed.
arXiv
An Empirical Study of Vulnerabilities in Python Packages and Their Detection
arxiv_fulltext·2025-09-04
An Empirical Study of Vulnerabilities in Python Packages and Their Detection
An Empirical Study of Vulnerabilities in Python Packages and Their Detection
Haowei Quan
Monash University
Melbourne
Australia
[email protected]
Junjie Wang
College of Intelligence and Computing, Tianjin University
Tianjin
China
[email protected]
Xinzhe Li
College of Intelligence and Computing, Tianjin University
Tianjin
China
[email protected]
Terry Yue Zhuo
Monash University
Melbourne
Australia
[email protected]
Xiao Chen
University of Newcastle
Newcastle
Australia
[email protected]
Xiaoning Du
Monash University
Melbourne
Australia
[email protected]
## Abstract
In the rapidly evolving software development landscape, Python stands out for its simplicity, versatility, and extensive ecosystem.
Python packages, as the unit for code organization, reusa
Bugzilla
CVE-2014-0474 python-django: MySQL typecasting
bugzilla·2014-04-23·CVSS 10.0
CVE-2014-0474 [CRITICAL] CVE-2014-0474 python-django: MySQL typecasting
CVE-2014-0474 python-django: MySQL typecasting
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0474 to
the following vulnerability:
Name: CVE-2014-0474
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0474
Assigned: 20131219
Reference: https://www.djangoproject.com/weblog/2014/apr/21/security/
The (1) FilePathField, (2) GenericIPAddressField, and (3)
IPAddressField model field classes in Django before 1.4.11, 1.5.x
before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not
properly perform type conversion, which allows remote attackers to
have unspecified impact and vectors, related to "MySQL typecasting."
Discussion:
This has been addressed in Fedora 20 and EPEL6:
https://admin.fedoraproject.org/updates/Django14-1.4.11-1.el6
https://admin.fe
http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0456.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0457.htmlhttp://secunia.com/advisories/61281http://www.debian.org/security/2014/dsa-2934http://www.ubuntu.com/usn/USN-2169-1https://www.djangoproject.com/weblog/2014/apr/21/security/http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0456.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0457.htmlhttp://secunia.com/advisories/61281http://www.debian.org/security/2014/dsa-2934http://www.ubuntu.com/usn/USN-2169-1https://www.djangoproject.com/weblog/2014/apr/21/security/
2014-04-23
Published