CVE-2025-48432
MEDIUM4.0EPSS 0.41%Django Improper Output Neutralization for Logs vulnerability
發布日:2025/6/5修改日:2025/10/16
描述
An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
受影響套件(4)
- Bitnami/django>= 4.2.0, < 4.2.23, >= 5.1.0, < 5.1.11, >= 5.2.0, < 5.2.3
- Debian/python-djangofrom 0, < 2:2.2.28-1~deb11u7
- PyPI/django>= 5.2, < 5.2.2
- PyPI/django>= 5.2, < 5.2.2, >= 5.1, < 5.1.10, >= 4.2, < 4.2.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N |
參考連結(15)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48432
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-48432
- ADVISORYhttps://www.djangoproject.com/weblog/2025/jun/04/security-releases/
- PATCHhttps://github.com/django/django
- WEBhttps://docs.djangoproject.com/en/dev/releases/security
- WEBhttps://docs.djangoproject.com/en/dev/releases/security/
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml
- WEBhttps://groups.google.com/g/django-announce
- WEBhttps://www.djangoproject.com/weblog/2025/jun/04/security-releases
- WEBhttps://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases
- WEBhttps://www.djangoproject.com/weblog/2025/jun/10/bugfix-releases/
- WEBhttp://www.openwall.com/lists/oss-security/2025/06/04/5
- WEBhttp://www.openwall.com/lists/oss-security/2025/06/10/2
- WEBhttp://www.openwall.com/lists/oss-security/2025/06/10/3
- WEBhttp://www.openwall.com/lists/oss-security/2025/06/10/4