CVE-2016-2512
published 2016-04-08CVE-2016-2512: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct…
PriorityP335high7.4CVSS 3.0
AVNACLPRNUIRSCCNIHAN
EPSS
4.04%
89.3th percentile
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.9.4-1 (bookworm) | python-django 1.9.4-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.8.10 | 1.8.10 |
| djangoproject | django | >= 1.9a1 < 1.9.3 | 1.9.3 |
CVSS provenance
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.4HIGH
vendor_debian7.4HIGH
vendor_redhat7.4HIGH
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django regression
vendor_ubuntu·2016-03-07·CVSS 7.4
CVE-2016-2512 [HIGH] Django regression
Title: Django regression
Summary: USN-2915-1 introduced a regression in Django.
USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem by applying the complete upstream regression fix.
Original advisory details:
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Instructions: In
Red Hat
python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
vendor_redhat·2016-03-01·CVSS 7.4
CVE-2016-2512 [HIGH] CWE-601 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.
Package: Django (Red Hat Ceph Storage 1.2) - Affected
Package: Django (Red Hat Ceph Storage 1.3) -
Ubuntu
Django vulnerabilities
vendor_ubuntu·2016-03-01·CVSS 7.4
CVE-2016-2512 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2016-2512: python-django - The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9...
vendor_debian·2016·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512: python-django - The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9...
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Scope: local
bookworm: resolved (fixed in 1.9.4-1)
bullseye: resolved (fixed in 1.9.4-1)
forky: resolved (fixed in 1.9.4-1)
sid: resolved (fixed in 1.9.4-1)
trixie: resolved (fixed in 1.9.4-1)
GHSA
Django XSS Vulnerability
ghsa·2022-05-17
CVE-2016-2512 [MEDIUM] CWE-79 Django XSS Vulnerability
Django XSS Vulnerability
The `utils.http.is_safe_url function` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by `http://mysite.example.com\@attacker.com`.
OSV
Django XSS Vulnerability
osv·2022-05-17
CVE-2016-2512 [MEDIUM] Django XSS Vulnerability
Django XSS Vulnerability
The `utils.http.is_safe_url function` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by `http://mysite.example.com\@attacker.com`.
OSV
CVE-2016-2512: The utils
osv·2016-04-08·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512: The utils
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
OSV
python-django regression
osv·2016-03-07·CVSS 7.4
CVE-2016-2512 [HIGH] python-django regression
python-django regression
USN-2915-1 fixed vulnerabilities in Django. The upstream fix for
CVE-2016-2512 introduced a regression for certain applications. This update
fixes the problem by applying the complete upstream regression fix.
Original advisory details:
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
OSV
python-django vulnerabilities
osv·2016-03-01·CVSS 7.4
CVE-2016-2512 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Mark Striemer discovered that Django incorrectly handled user-supplied
redirect URLs containing basic authentication credentials. A remote
attacker could possibly use this issue to perform a cross-site scripting
attack or a malicious redirect. (CVE-2016-2512)
Sjoerd Job Postmus discovered that Django incorrectly handled timing when
doing password hashing operations. A remote attacker could possibly use
this issue to perform user enumeration. (CVE-2016-2513)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [fedora-all]
bugzilla·2016-03-03·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [fedora-all]
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-7]
bugzilla·2016-03-03·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-7]
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
Bugzilla
CVE-2016-2512 django14: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
bugzilla·2016-03-03·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512 django14: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
CVE-2016-2512 django14: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg c
Bugzilla
CVE-2016-2512 python-django15: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
bugzilla·2016-03-03·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512 python-django15: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
CVE-2016-2512 python-django15: python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
f
Bugzilla
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
bugzilla·2016-02-24·CVSS 7.4
CVE-2016-2512 [HIGH] CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
CVE-2016-2512 python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
It was found that django.utils.http.is_safe_url() used as security check for redirecting URLs considered some malicious URLs with basic authentication credentials "safe", e.g. http://mysite.example.com\@attacker.com would be considered safe. Relying on is_safe_url() to provide safe redirect targets and putting such URLs into link can lead also to XSS attack.
Discussion:
Created attachment 1130108
Upstream patch 1.8.x
---
Created attachment 1130110
Upstream patch 1.9.x
---
Created attachment 1130112
Upstream patch master
---
Commit message contains wrong CVE number, CVE-2016-2512 is correct.
---
External Reference:
https://www.djangoproject.com/weblog/201
http://rhn.redhat.com/errata/RHSA-2016-0502.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0504.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0505.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0506.htmlhttp://www.debian.org/security/2016/dsa-3544http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/83879http://www.securitytracker.com/id/1035152http://www.ubuntu.com/usn/USN-2915-1http://www.ubuntu.com/usn/USN-2915-2http://www.ubuntu.com/usn/USN-2915-3https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0https://www.djangoproject.com/weblog/2016/mar/01/security-releases/http://rhn.redhat.com/errata/RHSA-2016-0502.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0504.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0505.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0506.htmlhttp://www.debian.org/security/2016/dsa-3544http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/83879http://www.securitytracker.com/id/1035152http://www.ubuntu.com/usn/USN-2915-1http://www.ubuntu.com/usn/USN-2915-2http://www.ubuntu.com/usn/USN-2915-3https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0https://www.djangoproject.com/weblog/2016/mar/01/security-releases/
2016-04-08
Published