| Vulnerability Name: | CVE-2010-4534 (CCN-64324) | ||||||||
| Assigned: | 2010-12-23 | ||||||||
| Published: | 2010-12-23 | ||||||||
| Updated: | 2011-01-20 | ||||||||
| Summary: | The administrative interface in django.contrib.admin in Django before 1.1.3, 1.2.x before 1.2.4, and 1.3.x before 1.3 beta 1 does not properly restrict use of the query string to perform certain object filtering, which allows remote authenticated users to obtain sensitive information via a series of requests containing regular expressions, as demonstrated by a created_by__password__regex parameter. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||
| CVSS v2 Severity: | 4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N) 3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-264 | ||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||
| References: | Source: CCN Type: Full-Disclosure Mailing List, Thu Dec 23 2010 Django admin list filter data extraction / leakage Source: FULLDISC Type: Exploit 20101223 Django admin list filter data extraction / leakage Source: CONFIRM Type: Patch http://code.djangoproject.com/changeset/15031 Source: MITRE Type: CNA CVE-2010-4534 Source: MISC Type: Exploit http://evilpacket.net/2010/dec/22/information-leakage-django-administrative-interfac/ Source: FEDORA Type: UNKNOWN FEDORA-2011-0096 Source: FEDORA Type: UNKNOWN FEDORA-2011-0120 Source: MISC Type: Exploit http://ngenuity-is.com/advisories/2010/dec/22/information-leakage-in-django-administrative-inter/ Source: CCN Type: SA42715 Django Two Security Issues Source: SECUNIA Type: Vendor Advisory 42715 Source: SECUNIA Type: UNKNOWN 42827 Source: SECUNIA Type: UNKNOWN 42913 Source: CCN Type: Django Web site Security releases issued Source: CONFIRM Type: Patch, Vendor Advisory http://www.djangoproject.com/weblog/2010/dec/22/security/ Source: MLIST Type: Patch [oss-security] 20101223 CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws Source: MLIST Type: Patch [oss-security] 20110103 Re: CVE Request -- Django 1.2.4, Django 1.1.3 and Django 1.3 beta 1 -- addressing two security flaws Source: CCN Type: OSVDB ID: 70159 Django django.contrib.admin Admin Interface query String Information Disclosure Source: BUGTRAQ Type: UNKNOWN 20101223 Django admin list filter data extraction / leakage Source: BID Type: UNKNOWN 45562 Source: CCN Type: BID-45562 Django 'django.contrib.admin' Querystring Information Disclosure Vulnerability Source: UBUNTU Type: UNKNOWN USN-1040-1 Source: VUPEN Type: UNKNOWN ADV-2011-0048 Source: VUPEN Type: UNKNOWN ADV-2011-0098 Source: CONFIRM Type: Patch https://bugzilla.redhat.com/show_bug.cgi?id=665373 Source: XF Type: UNKNOWN django-djangocontribadmin-info-disc(64324) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3:  Denotes that component is vulnerable | ||||||||
| Oval Definitions | |||||||||
| |||||||||
| BACK | |||||||||