CVE-2017-7234

Aliases:GHSA-h4hv-m4h4-mhwgPYSEC-2017-10
Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 04 Apr 2017, 17:00
Last modified:05 Aug 2024, 15:56

Vulnerability Summary

Overall Risk (default)
low
24/100
CVSS Score
6.1 MEDIUM
v3.0 (nvd)
EPSS Score
0.26% LOW
0% probability -0.07%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

04 Apr 2017, 17:00
Published
Vulnerability first disclosed
05 Aug 2024, 15:56
Last Modified
Vulnerability information updated

Description

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.

CVSS Metrics

  • v4.0MEDIUMScore: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
  • v3.0MEDIUMScore: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • v2.0MEDIUMScore: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.26% Percentile: 49%

Techniques & Countermeasures

  • CWE-601URL Redirection to Untrusted Site ('Open Redirect')

    The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

  • djangoprojectdjango

    1.8.0 | 1.8.0:a1 | 1.8.0:b1 | 1.8.0:b2 | 1.8.0:c1 | 1.8.1 | 1.8.2 | 1.8.3 | 1.8.4 | 1.8.5 | 1.8.6 | 1.8.7 | 1.8.8 | 1.8.9 | 1.8.10 | 1.8.11 | 1.8.12 | 1.8.13 | 1.8.14 | 1.8.15 | 1.8.16 | 1.8.17 | 1.9 | 1.9:a1 | 1.9:b1 | 1.9:rc1 | 1.9:rc2 | 1.9.1 | 1.9.2 | 1.9.3 | 1.9.4 | 1.9.5 | 1.9.6 | 1.9.7 | 1.9.8 | 1.9.9 | 1.9.10 | 1.9.11 | 1.9.12 | 1.10.0 | 1.10.0:a1 | 1.10.0:b1 | 1.10.0:rc1 | 1.10.1 | 1.10.2 | 1.10.3 | 1.10.4 | 1.10.5 | 1.10.6

  • PyPIdjango

    ≥ 1.10, < 1.10.7 | ≥ 1.9, < 1.9.13 | ≥ 1.8, < 1.8.18

References (14)