Multiple vulnerabilities in Django
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 CVE-2011-4136 CVE-2010-4534 CVE-2010-4535 |
| CWE-ID | CWE-399 CWE-20 CWE-352 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Django Web applications / CMS |
| Vendor | Django Software Foundation |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU44585
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-4137
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3- cpe:2.3:a:django_software_foundation:django:0.96:*:*:*:*:*:*:*
- cpe:2.3:a:django_software_foundation:django:1.3:*:*:*:*:*:*:*
https://openwall.com/lists/oss-security/2011/09/11/1
https://openwall.com/lists/oss-security/2011/09/13/2
https://openwall.com/lists/oss-security/2011/09/15/5
https://secunia.com/advisories/46614
https://www.debian.org/security/2011/dsa-2332
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU44586
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-4138
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://openwall.com/lists/oss-security/2011/09/11/1
https://openwall.com/lists/oss-security/2011/09/13/2
https://secunia.com/advisories/46614
https://www.debian.org/security/2011/dsa-2332
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU44587
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-4139
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://openwall.com/lists/oss-security/2011/09/11/1
https://openwall.com/lists/oss-security/2011/09/13/2
https://secunia.com/advisories/46614
https://www.debian.org/security/2011/dsa-2332
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU44588
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-4140
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://openwall.com/lists/oss-security/2011/09/11/1
https://openwall.com/lists/oss-security/2011/09/13/2
https://secunia.com/advisories/46614
https://www.debian.org/security/2011/dsa-2332
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU44589
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2011-4136
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://openwall.com/lists/oss-security/2011/09/11/1
https://openwall.com/lists/oss-security/2011/09/13/2
https://secunia.com/advisories/46614
https://www.debian.org/security/2011/dsa-2332
https://bugzilla.redhat.com/show_bug.cgi?id=737366
https://hermes.opensuse.org/messages/14700881
https://www.djangoproject.com/weblog/2011/sep/09/
https://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU45481
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2010-4534
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html
https://code.djangoproject.com/changeset/15031
https://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html
https://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/
https://secunia.com/advisories/42715
https://secunia.com/advisories/42827
https://secunia.com/advisories/42913
https://www.djangoproject.com/weblog/2010/dec/22/security/
https://www.openwall.com/lists/oss-security/2010/12/23/4
https://www.openwall.com/lists/oss-security/2011/01/03/5
https://www.securityfocus.com/archive/1/515446
https://www.securityfocus.com/bid/45562
https://www.ubuntu.com/usn/USN-1040-1
https://www.vupen.com/english/advisories/2011/0048
https://www.vupen.com/english/advisories/2011/0098
https://bugzilla.redhat.com/show_bug.cgi?id=665373
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU45482
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2010-4535
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
CPE2.3https://code.djangoproject.com/changeset/15032
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html
https://secunia.com/advisories/42715
https://secunia.com/advisories/42827
https://secunia.com/advisories/42913
https://www.djangoproject.com/weblog/2010/dec/22/security/
https://www.openwall.com/lists/oss-security/2010/12/23/4
https://www.openwall.com/lists/oss-security/2011/01/03/5
https://www.securityfocus.com/bid/45563
https://www.ubuntu.com/usn/USN-1040-1
https://www.vupen.com/english/advisories/2011/0048
https://www.vupen.com/english/advisories/2011/0098
https://bugzilla.redhat.com/show_bug.cgi?id=665373
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
