Bug 1016394 - (CVE-2013-6044) CVE-2013-6044 python-django: xss in is_safe_url function
CVE-2013-6044 python-django: xss in is_safe_url function
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130814,repor...
: Security
: 997121 (view as bug list)
Depends On: 1016395 1016396 1022836
Blocks: 997123 1016397
  Show dependency treegraph
 
Reported: 2013-10-08 02:01 EDT by Ratul Gupta
Modified: 2016-04-26 12:09 EDT (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-22 13:41:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-10-08 02:01:14 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6044 to the following vulnerability:

Name: CVE-2013-6044
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6044
Assigned: 20131004

Reference: http://seclists.org/oss-sec/2013/q3/369
Reference: http://seclists.org/oss-sec/2013/q3/411
Reference: https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f
Reference: https://github.com/django/django/commit/ae3535169af804352517b7fea94a42a1c9c4b762
Reference: https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a
Reference: https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued
Reference: http://www.securityfocus.com/bid/61777
Reference: SECTRACK:1028915
Reference: http://www.securitytracker.com/id/1028915
Reference: SECUNIA:54476
Reference: http://secunia.com/advisories/54476
Reference: XF:django-issafeurl-xss(86437)
Reference: http://xforce.iss.net/xforce/xfdb/86437

The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other vulnerabilities into Django applications that use this function, as demonstrated by "the login view in django.contrib.auth.views" and the javascript: scheme.
Comment 1 Ratul Gupta 2013-10-08 02:03:30 EDT
Created Django14 tracking bugs for this issue:

Affects: epel-6 [bug 1016396]
Comment 2 Ratul Gupta 2013-10-08 02:03:56 EDT
Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1016395]
Comment 4 errata-xmlrpc 2013-11-14 12:35:26 EST
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html
Comment 6 Kurt Seifried 2014-05-30 00:40:20 EDT
*** Bug 997121 has been marked as a duplicate of this bug. ***
Comment 7 Kurt Seifried 2016-01-22 13:41:51 EST
This does not affect any current versions of OpenStack.

Note You need to log in before you can comment on or make changes to this bug.