Input validation error in Django

Published: 2014-05-16 | Updated: 2020-07-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2014-3730
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Django Web applications / CMS
Vendor	Django Software Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU32537

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-3730

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\djangoproject.com."

Mitigation

Install update from vendor's website.

Vulnerable software versions

Django: 1.1.4 - 1.4.12

CPE2.3

cpe:2.3:a:django_software_foundation:django:1.4.12:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
https://secunia.com/advisories/61281
https://ubuntu.com/usn/usn-2212-1
https://www.debian.org/security/2014/dsa-2934
https://www.openwall.com/lists/oss-security/2014/05/14/10
https://www.openwall.com/lists/oss-security/2014/05/15/3
https://www.securityfocus.com/bid/67410
https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.