CVE-2014-3730
HIGH7.5EPSS 0.99%Django Allows Open Redirects
發布日:2022/5/14修改日:2026/4/28
描述
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
受影響套件(3)
- Debian/python-djangofrom 0, < 1.6.5-1
- PyPI/django>= 1.4, < 1.4.13
- PyPI/django>= 1.4, < 1.4.13, >= 1.5, < 1.5.8, >= 1.6, < 1.6.5, >= 1.7a0, < 1.7b4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(17)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3730
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-3730
- ADVISORYhttps://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/
- PATCHhttps://github.com/django/django
- WEBhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
- WEBhttp://secunia.com/advisories/61281
- WEBhttps://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3
- WEBhttps://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df
- WEBhttps://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-20.yaml
- WEBhttps://web.archive.org/web/20200228171223/http://www.securityfocus.com/bid/67410
- WEBhttps://www.djangoproject.com/weblog/2014/may/14/security-releases-issued
- WEBhttp://ubuntu.com/usn/usn-2212-1
- WEBhttp://www.debian.org/security/2014/dsa-2934
- WEBhttp://www.openwall.com/lists/oss-security/2014/05/14/10
- WEBhttp://www.openwall.com/lists/oss-security/2014/05/15/3
- WEBhttp://www.securityfocus.com/bid/67410