CVE-2017-7234
published 2017-04-04CVE-2017-7234: A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could…
PriorityP425medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.83%
76.2th percentile
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1:1.10.7-1 (bookworm) | python-django 1:1.10.7-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django open redirect
ghsa·2019-01-04
CVE-2017-7234 [MEDIUM] CWE-601 Django open redirect
Django open redirect
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the `django.views.static.serve()` view could redirect to any other domain, aka an open redirect vulnerability.
OSV
Django open redirect
osv·2019-01-04
CVE-2017-7234 [MEDIUM] Django open redirect
Django open redirect
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the `django.views.static.serve()` view could redirect to any other domain, aka an open redirect vulnerability.
OSV
CVE-2017-7234: A maliciously crafted URL to a Django (1
osv·2017-04-04·CVSS 6.1
CVE-2017-7234 [MEDIUM] CVE-2017-7234: A maliciously crafted URL to a Django (1
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
OSV
python-django vulnerabilities
osv·2017-04-04·CVSS 6.1
CVE-2017-7233 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)
Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)
Red Hat
python-django: Open redirect vulnerability in django.views.static.serve()
vendor_redhat·2017-04-04·CVSS 6.1
CVE-2017-7234 [MEDIUM] CWE-601 python-django: Open redirect vulnerability in django.views.static.serve()
python-django: Open redirect vulnerability in django.views.static.serve()
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
Package: python-django (Red Hat Ceph Storage 1.3) - Will not fix
Package: python-django (Red Hat Ceph Storage 2) - Will not fix
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operat
Ubuntu
Django vulnerabilities
vendor_ubuntu·2017-04-04·CVSS 6.1
CVE-2017-7233 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)
Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2017-7234: python-django - A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, an...
vendor_debian·2017·CVSS 6.1
CVE-2017-7234 [MEDIUM] CVE-2017-7234: python-django - A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, an...
A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.
Scope: local
bookworm: resolved (fixed in 1:1.10.7-1)
bullseye: resolved (fixed in 1:1.10.7-1)
forky: resolved (fixed in 1:1.10.7-1)
sid: resolved (fixed in 1:1.10.7-1)
trixie: resolved (fixed in 1:1.10.7-1)
No detection rules found.
No public exploits indexed.
http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/97401http://www.securitytracker.com/id/1038177https://www.djangoproject.com/weblog/2017/apr/04/security-releases/http://www.debian.org/security/2017/dsa-3835http://www.securityfocus.com/bid/97401http://www.securitytracker.com/id/1038177https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
2017-04-04
Published