Bug 1609031 – CVE-2018-14574 django: Open redirect possibility in CommonMiddleware

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1609031 - (CVE-2018-14574) CVE-2018-14574 django: Open redirect possibility in CommonMiddleware

Summary:	CVE-2018-14574 django: Open redirect possibility in CommonMiddleware

Status:	NEW

Aliases:	CVE-2018-14574

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180801:1400,...
Keywords:	Security

Depends On:	1611050 1611051 1612125 1617844 1617846 1617847 1617849 1617851 1617853 1617855 1617857 1635700 1635701 1642590 1611052
Blocks:	1609035
	Show dependency tree / graph

Reported:	2018-07-26 14:58 EDT by Laura Pardo
Modified:	2018-10-24 14:04 EDT (History)
CC List:	38 users (show)

See Also:
Fixed In Version:	Django 2.1, Django 2.0.8, Django 1.11.15
Doc Type:	If docs needed, set a value
Doc Text:	When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-07-26 14:58:57 EDT

A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Comment 1 Sam Fowler 2018-08-01 20:40:38 EDT

External Reference:

https://www.djangoproject.com/weblog/2018/aug/01/security-releases/


Upstream Patches:

https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1
https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c
https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525
https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff

Comment 2 James Hebden 2018-08-01 22:38:32 EDT

Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1611050]
Affects: fedora-all [bug 1611052]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1611051]

Comment 3 Miro Hrončok 2018-08-02 04:56:43 EDT

Note that there is also:

https://src.fedoraproject.org/rpms/python2-django1.11

And:

https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)

Comment 9 Riccardo Schirone 2018-10-23 05:15:30 EDT

Statement:

This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.

Note You need to log in before you can comment on or make changes to this bug.

apevec
bbuckingham
bcourt
bkabrda
bkearney
cbillett
chrisw
jakub.dornak
jal233
jjoyce
jschluet
kbasil
lhh
lpeer
markmc
mburns
mhroncok
michel
mmccune
mrike
mrunge
ohadlevy
rbryant
rchan
rhos-maint
rjerrido
sclewis
security-response-team
sgallagh
sisharma
slinaber
smohan
srevivo
ssaha
tdecacqu
tjay
tomckay
vbellur