Resource management error in Django
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-0474 |
| CWE-ID | CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Django Web applications / CMS |
| Vendor | Django Software Foundation |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Resource management error
EUVDB-ID: #VU32542
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2014-0474
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 1.0 - 1.6.11
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
https://rhn.redhat.com/errata/RHSA-2014-0456.html
https://rhn.redhat.com/errata/RHSA-2014-0457.html
https://secunia.com/advisories/61281
https://www.debian.org/security/2014/dsa-2934
https://www.ubuntu.com/usn/USN-2169-1
https://www.djangoproject.com/weblog/2014/apr/21/security/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
