Bug 1609031 (CVE-2018-14574) - CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
Summary: CVE-2018-14574 django: Open redirect possibility in CommonMiddleware
Status: NEW
Alias: CVE-2018-14574
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180801:1400,...
Keywords: Security
Depends On: 1611051 1617851 1617855 1617857 1635700 1635701 1611050 1611052 1612125 1617844 1617846 1617847 1617849 1617853 1642590
Blocks: 1609035
TreeView+ depends on / blocked
 
Reported: 2018-07-26 18:58 UTC by Laura Pardo
Modified: 2019-04-22 21:35 UTC (History)
35 users (show)

(edit)
When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0265 None None None 2019-02-04 07:43 UTC

Description Laura Pardo 2018-07-26 18:58:57 UTC
A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Comment 2 James Hebden 2018-08-02 02:38:32 UTC
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1611050]
Affects: fedora-all [bug 1611052]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1611051]

Comment 3 Miro Hrončok 2018-08-02 08:56:43 UTC
Note that there is also:

https://src.fedoraproject.org/rpms/python2-django1.11

And:

https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)

Comment 13 errata-xmlrpc 2019-02-04 07:43:42 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.4 for RHEL 7

Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265

Comment 15 Richard Maciel Costa 2019-03-29 00:25:42 UTC
Statement:

This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.

Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.

Although Red Hat Satellite 6 contains the vulnerable component, it is not affected by this flaw since the condition to exploit the vulnerability cannot be satisfied.


Note You need to log in before you can comment on or make changes to this bug.