Bug 1609031 (CVE-2018-14574)

Summary: CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, cbillett, chrisw, jal233, jjoyce, jschluet, kbasil, lhh, lpeer, markmc, mburns, mhroncok, michel, mmccune, mrike, mrunge, ohadlevy, rbryant, rchan, rhos-maint, rjerrido, sclewis, security-response-team, sgallagh, sisharma, slinaber, srevivo, ssaha, tdecacqu, tomckay, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 2.1, Django 2.0.8, Django 1.11.15 Doc Type: If docs needed, set a value
Doc Text:
When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:34:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1611051, 1611050, 1611052, 1612125, 1617844, 1617846, 1617847, 1617849, 1617851, 1617853, 1617855, 1617857, 1635700, 1635701, 1642590    
Bug Blocks: 1609035    

Description Laura Pardo 2018-07-26 18:58:57 UTC
A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Comment 2 James Hebden 2018-08-02 02:38:32 UTC
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1611050]
Affects: fedora-all [bug 1611052]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1611051]

Comment 3 Miro HronĨok 2018-08-02 08:56:43 UTC
Note that there is also:

https://src.fedoraproject.org/rpms/python2-django1.11

And:

https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)

Comment 13 errata-xmlrpc 2019-02-04 07:43:42 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265

Comment 16 Summer Long 2021-03-27 05:26:17 UTC
Statement:

This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.

Although Red Hat Satellite 6 contains the vulnerable component, it is not affected by this flaw since the condition to exploit the vulnerability cannot be satisfied.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-django package.