SB2014042303 - Resource management error in Django
Published: April 23, 2014 Updated: July 28, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Resource management error (CVE-ID: CVE-2014-0474)
CWE-ID: CWE-399 - Resource Management Errors
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
- http://rhn.redhat.com/errata/RHSA-2014-0456.html
- http://rhn.redhat.com/errata/RHSA-2014-0457.html
- http://secunia.com/advisories/61281
- http://www.debian.org/security/2014/dsa-2934
- http://www.ubuntu.com/usn/USN-2169-1
- https://www.djangoproject.com/weblog/2014/apr/21/security/