CVE-2018-14574

Description

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

CVSS Metrics

• v4.0•MEDIUM•Score: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
• v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
• v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 7.48%• Percentile: 92%

Techniques & Countermeasures

• CWE-601•URL Redirection to Untrusted Site ('Open Redirect')

  The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

• canonical•ubuntu_linux

  18.04

• debian•debian_linux

  9.0

• djangoproject•django

  ≥ 1.11, < 1.11.15 | ≥ 2.0, < 2.0.8

• PyPI•django

  ≥ 2.0, < 2.0.8 | ≥ 1.11, < 1.11.15

References (16)

• https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
• https://usn.ubuntu.com/3726-1/
• https://www.debian.org/security/2018/dsa-4264
• http://www.securitytracker.com/id/1041403
• https://access.redhat.com/errata/RHSA-2019:0265
• http://www.securityfocus.com/bid/104970
• https://nvd.nist.gov/vuln/detail/CVE-2018-14574
• https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525
• https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c
• https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff
• https://github.com/advisories/GHSA-5hg3-6c2f-f3wr
• https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-2.yaml
• https://usn.ubuntu.com/3726-1
• https://web.archive.org/web/20190901075632/http://www.securitytracker.com/id/1041403
• https://web.archive.org/web/20200227115315/http://www.securityfocus.com/bid/104970
• https://www.djangoproject.com/weblog/2018/aug/01/security-releases