Multiple vulnerabilities in Django
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 CVE-2011-4136 CVE-2010-4534 CVE-2010-4535 |
| CWE-ID | CWE-399 CWE-20 CWE-352 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Django Web applications / CMS |
| Vendor | Django Software Foundation |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU44585
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4137
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
http://openwall.com/lists/oss-security/2011/09/15/5
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
http://bugzilla.redhat.com/show_bug.cgi?id=737366
http://hermes.opensuse.org/messages/14700881
http://www.djangoproject.com/weblog/2011/sep/09/
http://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU44586
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4138
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
http://bugzilla.redhat.com/show_bug.cgi?id=737366
http://hermes.opensuse.org/messages/14700881
http://www.djangoproject.com/weblog/2011/sep/09/
http://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU44587
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4139
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
http://bugzilla.redhat.com/show_bug.cgi?id=737366
http://hermes.opensuse.org/messages/14700881
http://www.djangoproject.com/weblog/2011/sep/09/
http://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU44588
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4140
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
http://bugzilla.redhat.com/show_bug.cgi?id=737366
http://hermes.opensuse.org/messages/14700881
http://www.djangoproject.com/weblog/2011/sep/09/
http://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU44589
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2011-4136
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://openwall.com/lists/oss-security/2011/09/11/1
http://openwall.com/lists/oss-security/2011/09/13/2
http://secunia.com/advisories/46614
http://www.debian.org/security/2011/dsa-2332
http://bugzilla.redhat.com/show_bug.cgi?id=737366
http://hermes.opensuse.org/messages/14700881
http://www.djangoproject.com/weblog/2011/sep/09/
http://www.djangoproject.com/weblog/2011/sep/10/127/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU45481
Risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-4534
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://archives.neohapsis.com/archives/fulldisclosure/2010-12/0580.html
http://code.djangoproject.com/changeset/15031
http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html
http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/
http://secunia.com/advisories/42715
http://secunia.com/advisories/42827
http://secunia.com/advisories/42913
http://www.djangoproject.com/weblog/2010/dec/22/security/
http://www.openwall.com/lists/oss-security/2010/12/23/4
http://www.openwall.com/lists/oss-security/2011/01/03/5
http://www.securityfocus.com/archive/1/515446
http://www.securityfocus.com/bid/45562
http://www.ubuntu.com/usn/USN-1040-1
http://www.vupen.com/english/advisories/2011/0048
http://www.vupen.com/english/advisories/2011/0098
http://bugzilla.redhat.com/show_bug.cgi?id=665373
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU45482
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-4535
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The password reset functionality in django.contrib.auth in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not validate the length of a string representing a base36 timestamp, which allows remote attackers to cause a denial of service (resource consumption) via a URL that specifies a large base36 integer.
MitigationInstall update from vendor's website.
Vulnerable software versionsDjango: 0.91 - 1.3
External linkshttp://code.djangoproject.com/changeset/15032
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053041.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053072.html
http://secunia.com/advisories/42715
http://secunia.com/advisories/42827
http://secunia.com/advisories/42913
http://www.djangoproject.com/weblog/2010/dec/22/security/
http://www.openwall.com/lists/oss-security/2010/12/23/4
http://www.openwall.com/lists/oss-security/2011/01/03/5
http://www.securityfocus.com/bid/45563
http://www.ubuntu.com/usn/USN-1040-1
http://www.vupen.com/english/advisories/2011/0048
http://www.vupen.com/english/advisories/2011/0098
http://bugzilla.redhat.com/show_bug.cgi?id=665373
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
