Main Vulnerability Database SB2014042602

SB2014042602 - Code Injection in py-django (Alpine package)

Published: April 26, 2014

Security Bulletin ID SB2014042602

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Code Injection (CVE-ID: CVE-2014-0472)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=d8d38d0581575f676da3491e75ab136626276613
https://git.alpinelinux.org/aports/commit/?id=5044db2a0efc6ce6d34e1f5130a47e32960f4d3c
https://git.alpinelinux.org/aports/commit/?id=761bfcda159e2c226f63239c4d10c8cfbd88b01a