Resource management error in py-django (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2014-0474 |
| CWE-ID | CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
py-django (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Resource management error
EUVDB-ID: #VU32542
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0474
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
MitigationInstall update from vendor's website.
Vulnerable software versionspy-django (Alpine package): 1.4.1-r0 - 1.5.5-r0
CPE2.3- cpe:2.3:o:alpine:py-django_alpine_package:1.5.1-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:py-django_alpine_package:1.5.5-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:py-django_alpine_package:1.4.1-r0:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=d8d38d0581575f676da3491e75ab136626276613
http://git.alpinelinux.org/aports/commit/?id=5044db2a0efc6ce6d34e1f5130a47e32960f4d3c
http://git.alpinelinux.org/aports/commit/?id=761bfcda159e2c226f63239c4d10c8cfbd88b01a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
