Project

General

Profile

Bug #9175

Bug #9173: py-django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)

[3.8] py-django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)

Added by Alicha CH 6 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
08/02/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project
has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to
a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Fixed In Version:

Django 1.11.15 and Django 2.0.8

References:

https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
http://openwall.com/lists/oss-security/2018/08/01/2

Patch:

https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff


Related issues

Copied from Alpine Linux - Bug #9173: py-django: Open redirect possibility in CommonMiddleware (CVE-2018-14574)New2018-08-02

Associated revisions

Revision 9b6522ff (diff)
Added by Natanael Copa 6 months ago

main/py-django: security upgrade to 1.11.15 (CVE-2018-14574)

fixes #9175

History

#1 Updated by Alicha CH 6 months ago

  • Copied from Bug #9173: py-django: Open redirect possibility in CommonMiddleware (CVE-2018-14574) added

#2 Updated by Natanael Copa 6 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#3 Updated by Alicha CH 6 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed
  • Security IDs deleted (CVE-2018-14574)

Also available in: Atom PDF