Vulnerability-Lookup

CVE-2014-3730 (GCVE-0-2014-3730)

Vulnerability from cvelistv5 – Published: 2014-05-16 15:00 – Updated: 2024-08-06 10:50

Summary

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."

Severity ?

No CVSS data available.

CWE

Assigner

debian

References

URL

GSD-2014-3730

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-3730

Aliases

CVE-2014-3730

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-3730",
    "description": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\"",
    "id": "GSD-2014-3730",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-3730.html",
      "https://www.debian.org/security/2014/dsa-2934",
      "https://advisories.mageia.org/CVE-2014-3730.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-3730"
      ],
      "details": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\"",
      "id": "GSD-2014-3730",
      "modified": "2023-12-13T01:22:53.321302Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@debian.org",
        "ID": "CVE-2014-3730",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\""
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "61281",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/61281"
          },
          {
            "name": "DSA-2934",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2014/dsa-2934"
          },
          {
            "name": "USN-2212-1",
            "refsource": "UBUNTU",
            "url": "http://ubuntu.com/usn/usn-2212-1"
          },
          {
            "name": "67410",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/67410"
          },
          {
            "name": "openSUSE-SU-2014:1132",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
          },
          {
            "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
          },
          {
            "name": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/",
            "refsource": "CONFIRM",
            "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
          },
          {
            "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.4,\u003c1.4.13||\u003e=1.5,\u003c1.5.8||\u003e=1.6,\u003c1.6.5||\u003e=1.7b1,\u003c1.7b4",
          "affected_versions": "All versions starting from 1.4 before 1.4.13, all versions starting from 1.5 before 1.5.8, all versions starting from 1.6 before 1.6.5, version",
          "credit": "Peter Kuma, Gavin Wahl",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2018-10-30",
          "description": "The validation for redirects does not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly.",
          "fixed_versions": [
            "1.4.13",
            "1.5.8",
            "1.6.5",
            "1.7b4"
          ],
          "identifier": "CVE-2014-3730",
          "identifiers": [
            "CVE-2014-3730"
          ],
          "package_slug": "pypi/Django",
          "pubdate": "2014-05-16",
          "solution": "Upgrade to version 1.4.13, 1.5.8, 1.6.5, 1.7 beta 4, or higher.",
          "title": "Malformed URLs from user input incorrectly validated",
          "urls": [
            "http://osvdb.org/show/osvdb/107012",
            "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
          ],
          "uuid": "6cc137f5-a9ff-4c8d-88f6-a22bed86f288"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2014-3730"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-2212-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://ubuntu.com/usn/usn-2212-1"
            },
            {
              "name": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
            },
            {
              "name": "[oss-security] 20140514 Re: CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
            },
            {
              "name": "[oss-security] 20140514 CVE Reuest: Django: Malformed URLs from user input incorrectly validated",
              "refsource": "MLIST",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
            },
            {
              "name": "DSA-2934",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.debian.org/security/2014/dsa-2934"
            },
            {
              "name": "openSUSE-SU-2014:1132",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
            },
            {
              "name": "67410",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/67410"
            },
            {
              "name": "61281",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/61281"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2018-10-30T16:27Z",
      "publishedDate": "2014-05-16T15:55Z"
    }
  }
}

FKIE_CVE-2014-3730

Vulnerability from fkie_nvd - Published: 2014-05-16 15:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
security@debian.org	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	Third Party Advisory
security@debian.org	http://secunia.com/advisories/61281
security@debian.org	http://ubuntu.com/usn/usn-2212-1	Third Party Advisory
security@debian.org	http://www.debian.org/security/2014/dsa-2934	Third Party Advisory
security@debian.org	http://www.openwall.com/lists/oss-security/2014/05/14/10	Third Party Advisory
security@debian.org	http://www.openwall.com/lists/oss-security/2014/05/15/3	Third Party Advisory
security@debian.org	http://www.securityfocus.com/bid/67410	Third Party Advisory, VDB Entry
security@debian.org	https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/61281
af854a3a-2127-422b-91ae-364da2661108	http://ubuntu.com/usn/usn-2212-1	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2014/dsa-2934	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/05/14/10	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/05/15/3	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/67410	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
canonical	ubuntu_linux	10.04
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	12.10
canonical	ubuntu_linux	13.10
canonical	ubuntu_linux	14.04
djangoproject	django	1.4
djangoproject	django	1.4.1
djangoproject	django	1.4.2
djangoproject	django	1.4.4
djangoproject	django	1.4.5
djangoproject	django	1.4.6
djangoproject	django	1.4.7
djangoproject	django	1.4.8
djangoproject	django	1.4.9
djangoproject	django	1.4.10
djangoproject	django	1.4.11
djangoproject	django	1.4.12
djangoproject	django	1.7
djangoproject	django	1.7
djangoproject	django	1.7
opensuse	opensuse	12.3
opensuse	opensuse	13.1
djangoproject	django	1.6
djangoproject	django	1.6
djangoproject	django	1.6
djangoproject	django	1.6
djangoproject	django	1.6
djangoproject	django	1.6.1
djangoproject	django	1.6.2
djangoproject	django	1.6.3
djangoproject	django	1.6.4
debian	debian_linux	7.0
debian	debian_linux	8.0
djangoproject	django	1.5
djangoproject	django	1.5
djangoproject	django	1.5
djangoproject	django	1.5.1
djangoproject	django	1.5.2
djangoproject	django	1.5.3
djangoproject	django	1.5.4
djangoproject	django	1.5.5
djangoproject	django	1.5.6
djangoproject	django	1.5.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*",
              "matchCriteriaId": "7118F616-25CA-4E34-AA13-4D14BB62419F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
              "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F61F047-129C-41A6-8A27-FFCBB8563E91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A79FF7F-8F92-4FEB-96CC-6B15D0CE920D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "13EF02D4-406C-4146-9B8F-FAC906E7B6E5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC462CE5-1BE0-41E0-A28D-291350F021AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "4166ADA9-D5B4-47D6-BD93-C98841108275",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "080D43D0-C0FF-4F89-910C-D466943816C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "E04AE832-9059-42AB-AD39-D01E7A633615",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "693EEF6B-810B-4684-9AB5-1BDC95DFA4CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9EF4268-0DB7-4150-B8E7-53C6D7F02E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "C571F85F-9F49-48B6-9AD9-16CD81655F73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "41F0F1FA-E3EC-421C-9F72-11FC857F6F72",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4031E5F-B5D6-4E7D-96FC-A4ACF9C306A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.4.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B1577DD-B40E-404B-8E55-3A93AB8A8F62",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "BB1EF6D7-0AF4-4146-BA37-961F7048C1C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "5E4CCE84-425C-4B9C-98B7-D858B64B3418",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "B6B77FCE-F26A-41CB-8D72-E9EF0E352288",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*",
              "matchCriteriaId": "29477EEA-D5F8-45A9-9777-8A6BC7C668A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "A83451BD-1D67-4A7F-A62C-F597E51FCC21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "0300DC0D-5DD0-42B5-9FE0-54DC557EA40D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "85A2021F-B2AF-40DC-9FA2-5F90D2EB813E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "07B12D68-BB49-4931-9D9E-D8134FC0B350",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "0CC369A0-0092-450D-91E9-13C7AF7EBC16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B6B7974-ABEF-4E0C-8503-6E9C22D28C78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "55460F1D-661B-465C-8A22-E4E6DA2834B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9FD4FB46-3A98-4B9B-A241-C39E2C2A0FEC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCDB4B76-6541-4405-B74C-3EEAF84A04E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*",
              "matchCriteriaId": "8A26B113-8D22-46E5-92C3-12134A68A21E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*",
              "matchCriteriaId": "0D99FB28-08F3-45B4-8C04-90074FBC2457",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "4E2A29CC-A92B-4EC1-8225-408A5048C033",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "73317E26-AA3A-4437-9261-CE76BC1A0749",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E6046CEB-6CF5-406F-BF6B-4D8C24DDA6FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "A666B9E5-EA1B-4FA9-A685-61ECF26CB084",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "8EB3FED4-C50A-4449-9A7B-552CFB02F860",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B4F3D5C-5768-48F1-8A39-1B87EC061F37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "B10E08DF-6B92-452A-876B-DC8D376B0B41",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\""
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n django.util.http.is_safe_url en Django 1.4 anterior a 1.4.13, 1.5 anterior a 1.5.8, 1.6 anterior a 1.6.5 y 1.7 anterior a 1.7b4 no valida debidamente URLs, lo que permite a atacantes remotos realizar ataques de redirecci\u00f3n abierta a trav\u00e9s de una URL malformada, tal y como fue demostrado por \u0027http:\\\\\\djangoproject.com.\u0027"
    }
  ],
  "id": "CVE-2014-3730",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-05-16T15:55:05.440",
  "references": [
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "source": "security@debian.org",
      "url": "http://secunia.com/advisories/61281"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://ubuntu.com/usn/usn-2212-1"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/67410"
    },
    {
      "source": "security@debian.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/61281"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://ubuntu.com/usn/usn-2212-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/67410"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VQ3H-3Q7V-9PRW

Vulnerability from github – Published: 2022-05-14 02:09 – Updated: 2024-09-18 19:43

Summary

Django Allows Open Redirects

Details

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\djangoproject.com."

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4"
            },
            {
              "fixed": "1.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5"
            },
            {
              "fixed": "1.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7a1"
            },
            {
              "fixed": "1.7b4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-3730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-15T22:09:31Z",
    "nvd_published_at": "2014-05-16T15:55:00Z",
    "severity": "HIGH"
  },
  "details": "The `django.util.http.is_safe_url` function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\"",
  "id": "GHSA-vq3h-3q7v-9prw",
  "modified": "2024-09-18T19:43:07Z",
  "published": "2022-05-14T02:09:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-20.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228171223/http://www.securityfocus.com/bid/67410"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/61281"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-2212-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django Allows Open Redirects"
}

PYSEC-2014-20

Vulnerability from pysec - Published: 2014-05-16 15:55 - Updated: 2021-09-01 08:18

Details

Impacted products

Name	purl
django	pkg:pypi/django

Aliases

CVE-2014-3730

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django",
        "purl": "pkg:pypi/django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4"
            },
            {
              "fixed": "1.4.13"
            },
            {
              "introduced": "1.5"
            },
            {
              "fixed": "1.5.8"
            },
            {
              "introduced": "1.6"
            },
            {
              "fixed": "1.6.5"
            },
            {
              "introduced": "1.7a0"
            },
            {
              "fixed": "1.7b4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.4",
        "1.4.1",
        "1.4.10",
        "1.4.11",
        "1.4.12",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.4.6",
        "1.4.7",
        "1.4.8",
        "1.4.9",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "1.5.7",
        "1.6",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4"
      ]
    }
  ],
  "aliases": [
    "CVE-2014-3730"
  ],
  "details": "The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by \"http:\\\\\\djangoproject.com.\"",
  "id": "PYSEC-2014-20",
  "modified": "2021-09-01T08:18:55.675902Z",
  "published": "2014-05-16T15:55:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-2212-1"
    },
    {
      "type": "ARTICLE",
      "url": "https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/15/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/05/14/10"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.debian.org/security/2014/dsa-2934"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/67410"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/61281"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-3730 (GCVE-0-2014-3730)

GSD-2014-3730

FKIE_CVE-2014-3730

GHSA-VQ3H-3Q7V-9PRW

PYSEC-2014-20

Tags

Sightings

Nomenclature