Open redirect in py-django (Alpine package)

1) Open redirect

EUVDB-ID: #VU7106

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7234

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect website visitors to external websites.

The weakness exists due to incorrect validation of redirected URL. A remote attacker can create a specially crafted link and redirect the victim on potentially dangerous website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

py-django (Alpine package): 1.8.3-r0 - 1.8.16-r0

CPE2.3

• cpe:2.3:a:alpine:py-django_alpine_package:1.8.3-r0:*:*:*:*:alpine_linux:*:3.1
• cpe:2.3:a:alpine:py-django_alpine_package:1.8.3-r1:*:*:*:*:alpine_linux:*:3.1
• cpe:2.3:a:alpine:py-django_alpine_package:1.8.7-r0:*:*:*:*:alpine_linux:*:3.2

External links

https://git.alpinelinux.org/aports/commit/?id=aac947d54afaf9dcc0db074c91149f8063f9d3ab
https://git.alpinelinux.org/aports/commit/?id=c6946cd412005ff67f9ffa26bae05148414d006c
https://git.alpinelinux.org/aports/commit/?id=2bfc256714ffd5e50b457f1c3cdb5d7de4ec77af
https://git.alpinelinux.org/aports/commit/?id=05b4008dbdf532c14ba0f1b17f4394ef3602e445
https://git.alpinelinux.org/aports/commit/?id=13b4e92e4fc47a3a048a8647e4674f3580e55b56
https://git.alpinelinux.org/aports/commit/?id=c18a5bc6ffb9c2e3ff2a727354255677217f7e59
https://git.alpinelinux.org/aports/commit/?id=e2e259ef2a11846c3bcdaedf1b90a1896ae1cbce

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.