#VU41377 Input validation error in Opensuse and Django - CVE-2014-0480

Cybersecurity Help s.r.o.

Published: 2014-08-26 | Updated: 2020-08-10

Vulnerability identifier: #VU41377

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-0480

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Opensuse
Operating systems & Components / Operating system
Django
Web applications / CMS

Vendor: SUSE
Django Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Opensuse: 12.3 - 13.1

Django: 1.4 - 13.1

External links
https://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
https://secunia.com/advisories/59782
https://secunia.com/advisories/61276
https://secunia.com/advisories/61281
https://www.debian.org/security/2014/dsa-3010
https://www.securityfocus.com/bid/69425
https://www.djangoproject.com/weblog/2014/aug/20/security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Django

Fedora EPEL 6 update for Django14