ID CVE-2018-14574
Summary django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.
References
Vulnerable Configurations
CVSS
Base: None
Impact:
Exploitability:
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4264.NASL
    description Andreas Hug discovered an open redirect in Django, a Python web development framework, which is exploitable ifdjango.middleware.common.CommonMiddleware is used and the APPEND_SLASH setting is enabled.
    last seen 2018-08-10
    modified 2018-08-06
    plugin id 111537
    published 2018-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111537
    title Debian DSA-4264-1 : python-django - security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3726-1.NASL
    description Andreas Hug discovered that Django contained an open redirect in CommonMiddleware. A remote attacker could possibly use this issue to perform phishing attacks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-08-02
    modified 2018-08-02
    plugin id 111511
    published 2018-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111511
    title Ubuntu 18.04 LTS : python-django vulnerability (USN-3726-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-875.NASL
    description This update for python-Django1 to version 1.11.15 fixes the following issues : The following security vulnerability was fixed : - CVE-2018-14574: Fixed an open redirect possibility in CommonMiddleware (boo#1102680) The following other bugs were fixed : - Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+ - Fixed a regression where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary - Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed - Fixed a regression where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
    last seen 2018-08-18
    modified 2018-08-17
    plugin id 111810
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111810
    title openSUSE Security Update : python-Django1 (openSUSE-2018-875)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-914.NASL
    description This update for python-Django to version 2.08 fixes the following issues : The following security vulnerability was fixed : - CVE-2018-14574: Fixed an redirection vulnerability in CommonMiddleware (boo#1102680) The following other bugs were fixed : - Fixed a regression in Django 2.0.7 that broke the regex lookup on MariaDB - Fixed a regression where django.template.Template crashed if the template_string argument is lazy - Fixed __regex and __iregex lookups with MySQL - Fixed admin check crash when using a query expression in ModelAdmin.ordering - Fixed admin changelist crash when using a query expression without asc() or desc() in the page’s ordering - Fixed a regression that broke custom template filters that use decorators - Fixed detection of custom URL converters in included pattern - Fixed a regression that added an unnecessary subquery to the GROUP BY clause on MySQL when using a RawSQL annotation - Fixed WKBWriter.write() and write_hex() for empty polygons on GEOS 3.6.1+ - Fixed a regression in Django 1.10 that could result in large memory usage when making edits using ModelAdmin.list_editable - Corrected the import paths that inspectdb generates for django.contrib.postgres fields - Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed - Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
    last seen 2018-08-29
    modified 2018-08-27
    plugin id 112137
    published 2018-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112137
    title openSUSE Security Update : python-Django (openSUSE-2018-914)
refmap via4
bid 104970
confirm https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
debian DSA-4264
sectrack 1041403
ubuntu USN-3726-1
Last major update 07-08-2018 - 21:29
Published 03-08-2018 - 13:29
Last modified 07-08-2018 - 21:29
Back to Top