Bug 1609031 (CVE-2018-14574) - CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
Summary: CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14574
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1611051 1611050 1611052 1612125 1617844 1617846 1617847 1617849 1617851 1617853 1617855 1617857 1635700 1635701 1642590
Blocks: 1609035
TreeView+ depends on / blocked
 
Reported: 2018-07-26 18:58 UTC by Laura Pardo
Modified: 2021-03-27 05:26 UTC (History)
34 users (show)

Fixed In Version: Django 2.1, Django 2.0.8, Django 1.11.15
Doc Type: If docs needed, set a value
Doc Text:
When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:34:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0265 0 None None None 2019-02-04 07:43:45 UTC

Description Laura Pardo 2018-07-26 18:58:57 UTC 
A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.
Comment 1 Sam Fowler 2018-08-02 00:40:38 UTC 
External Reference:

https://www.djangoproject.com/weblog/2018/aug/01/security-releases/


Upstream Patches:

https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1
https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c
https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525
https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff
Comment 2 James Hebden 2018-08-02 02:38:32 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1611050]
Affects: fedora-all [bug 1611052]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1611051]
Comment 3 Miro Hrončok 2018-08-02 08:56:43 UTC 
Note that there is also:

https://src.fedoraproject.org/rpms/python2-django1.11

And:

https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)
Comment 13 errata-xmlrpc 2019-02-04 07:43:42 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265
Comment 16 Summer Long 2021-03-27 05:26:17 UTC 
Statement:

This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.

Although Red Hat Satellite 6 contains the vulnerable component, it is not affected by this flaw since the condition to exploit the vulnerability cannot be satisfied.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-django package.
Note You need to log in before you can comment on or make changes to this bug.