CVE-2018-14574
published 2018-08-03CVE-2018-14574: django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
PriorityP348medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
25.49%
97.7th percentile
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1:1.11.15-1 (bookworm) | python-django 1:1.11.15-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.15 | 1.11.15 |
| djangoproject | django | >= 1.11 < 1.11.15 | 1.11.15 |
| djangoproject | django | >= 2.0 < 2.0.8 | 2.0.8 |
| djangoproject | django | >= 2.0 < 2.0.8 | 2.0.8 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django open redirect
ghsa·2018-10-04
CVE-2018-14574 [MEDIUM] CWE-601 Django open redirect
Django open redirect
`django.middleware.common.CommonMiddleware` in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
OSV
Django open redirect
osv·2018-10-04
CVE-2018-14574 [MEDIUM] Django open redirect
Django open redirect
`django.middleware.common.CommonMiddleware` in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
OSV
CVE-2018-14574: django
osv·2018-08-03·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574: django
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
Ubuntu
Django vulnerability
vendor_ubuntu·2018-08-01
CVE-2018-14574 Django vulnerability
Title: Django vulnerability
Summary: Django could be used as an open redirect.
Andreas Hug discovered that Django contained an open redirect in
CommonMiddleware. A remote attacker could possibly use this issue to
perform phishing attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: Open redirect possibility in CommonMiddleware
vendor_redhat·2018-08-01·CVSS 6.1
CVE-2018-14574 [MEDIUM] CWE-601 django: Open redirect possibility in CommonMiddleware
django: Open redirect possibility in CommonMiddleware
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
Statement: This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future
Debian
CVE-2018-14574: python-django - django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2....
vendor_debian·2018·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574: python-django - django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2....
django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
Scope: local
bookworm: resolved (fixed in 1:1.11.15-1)
bullseye: resolved (fixed in 1:1.11.15-1)
forky: resolved (fixed in 1:1.11.15-1)
sid: resolved (fixed in 1:1.11.15-1)
trixie: resolved (fixed in 1:1.11.15-1)
No detection rules found.
Nuclei
Django - Open Redirect
nuclei·CVSS 6.1
CVE-2018-14574 [MEDIUM] Django - Open Redirect
Django - Open Redirect
Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2018-14574
info:
name: Django - Open Redirect
author: pikpikcu
severity: medium
description: Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 contains an open redirect vulnerability. If django.middleware.common.CommonMiddleware and APPEND_SLASH settings are selected, and if the project has a URL pattern that accepts any path ending in a slash, an
Bugzilla
CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [epel-7]
bugzilla·2018-08-02·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [epel-7]
CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template t
Bugzilla
CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [fedora-all]
bugzilla·2018-08-02·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [fedora-all]
CVE-2018-14574 python-django: django: Open redirect possibility in CommonMiddleware [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2018-14574 python-django16: django: Open redirect possibility in CommonMiddleware [epel-7]
bugzilla·2018-08-02·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574 python-django16: django: Open redirect possibility in CommonMiddleware [epel-7]
CVE-2018-14574 python-django16: django: Open redirect possibility in CommonMiddleware [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
bugzilla·2018-07-26·CVSS 6.1
CVE-2018-14574 [MEDIUM] CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.
Discussion:
External Reference:
https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
Upstream Patches:
https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1
https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c
https://github.com/django/django/commit/6fffc3c6d420
http://www.securityfocus.com/bid/104970http://www.securitytracker.com/id/1041403https://access.redhat.com/errata/RHSA-2019:0265https://usn.ubuntu.com/3726-1/https://www.debian.org/security/2018/dsa-4264https://www.djangoproject.com/weblog/2018/aug/01/security-releases/http://www.securityfocus.com/bid/104970http://www.securitytracker.com/id/1041403https://access.redhat.com/errata/RHSA-2019:0265https://usn.ubuntu.com/3726-1/https://www.debian.org/security/2018/dsa-4264https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
2018-08-03
Published