When using the django.middleware.common.CommonMiddleware class with the APPEND_SLASH setting enabled, Django projects which accept paths ending in a slash may be vulnerable to an unvalidated HTTP redirect.
A flaw was found in Django. If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1611050]
Affects: fedora-all [bug 1611052]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1611051]
Note that there is also:
https://src.fedoraproject.org/rpms/python-django/branch/1.6 (1.6 modular build of Django for Fedora)
This issue has been addressed in the following products:
Red Hat Gluster Storage 3.4 for RHEL 7
Via RHSA-2019:0265 https://access.redhat.com/errata/RHSA-2019:0265
This issue did not affect the versions of python-django as shipped with Red Hat Update Infrastructure 3 as the vulnerable code was introduced in a newer version of the package.
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates.
Although Red Hat Satellite 6 contains the vulnerable component, it is not affected by this flaw since the condition to exploit the vulnerability cannot be satisfied.