Vulnerability CVE-2018-14574

Vulnerability Name:

CVE-2018-14574 (CCN-147836)

Assigned:

2018-08-01

Published:

2018-08-01

Updated:

2019-03-01

Summary:

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

7.4 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

CVSS v2 Severity:

5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-601

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2018-14574

Source: CCN
Type: SECTRACK ID: 1041403
Django Open Redirect Flaw in CommonMiddleware Lets Remote Users Redirect the Target User's Browser to an Arbitrary Site

Source: BID
Type: Third Party Advisory, VDB Entry
104970

Source: CCN
Type: BID-104970
Django CVE-2018-14574 Open Redirection Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041403

Source: REDHAT
Type: Third Party Advisory
RHSA-2019:0265

Source: XF
Type: UNKNOWN
django-cve201814574-open-redirect(147836)

Source: UBUNTU
Type: Third Party Advisory
USN-3726-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4264

Source: CCN
Type: Django Web site
Django security releases issued: 2.0.8 and 1.11.15

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.djangoproject.com/weblog/2018/aug/01/security-releases/

Vulnerable Configuration:

Configuration 1:

cpe:/a:djangoproject:django:*:*:*:*:*:*:*:* (Version >= 1.11 and < 1.11.15)

OR cpe:/a:djangoproject:django:*:*:*:*:*:*:*:* (Version >= 2.0 and < 2.0.8)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201814574	V	CVE-2018-14574	2022-05-22
oval:org.opensuse.security:def:58933	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:59617	P	Security update for libvirt (Important)	2022-01-10
oval:org.opensuse.security:def:58932	P	Security update for java-1_8_0-ibm (Important) (in QA)	2022-01-04
oval:org.opensuse.security:def:60437	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:60407	P	Security update for tomcat (Important)	2021-11-03
oval:org.opensuse.security:def:59556	P	Security update for transfig (Important)	2021-10-29
oval:org.opensuse.security:def:60396	P	Security update for ncurses (Moderate)	2021-10-20
oval:org.opensuse.security:def:60367	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:59800	P	Security update for ghostscript (Critical)	2021-09-21
oval:org.opensuse.security:def:60355	P	Security update for openssl-1_0_0 (Low)	2021-09-09
oval:org.opensuse.security:def:59789	P	Security update for openexr (Important)	2021-09-02
oval:org.opensuse.security:def:60271	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:59606	P	Security update for python (Moderate)	2021-03-16
oval:org.opensuse.security:def:60475	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:59856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:60449	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:59844	P	Security update for wpa_supplicant (Important)	2021-02-15
oval:org.opensuse.security:def:60259	P	Security update for dnsmasq (Important)	2021-01-19
oval:org.opensuse.security:def:60487	P	Security update for the Linux Kernel (Moderate)	2021-01-12
oval:org.opensuse.security:def:59544	P	Security update for java-1_8_0-ibm (Moderate)	2021-01-05
oval:org.opensuse.security:def:60155	P	Security update for curl (Moderate)	2020-12-10
oval:org.opensuse.security:def:60143	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:59111	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60514	P	ppc64-diag on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59184	P	Security update for the Linux Kernel (Live Patch 24 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:26427	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:59918	P	Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60576	P	xorg-x11-libs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25710	P	Security update for log4j (Important)	2020-12-01
oval:org.opensuse.security:def:25183	P	Security update for libexif (Moderate)	2020-12-01
oval:org.opensuse.security:def:60611	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:59195	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:25608	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:60864	P	Security update for ardana and crowbar (Important)	2020-12-01
oval:org.opensuse.security:def:60096	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60526	P	python3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59659	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:60744	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:59123	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60525	P	python-requests on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:24992	P	Security update for polkit (Important)	2020-12-01
oval:org.opensuse.security:def:60592	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:58944	P	Security update for librelp (Important)	2020-12-01
oval:org.opensuse.security:def:25405	P	Security update for spice-gtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:60824	P	Security update for postgresql96 (Low)	2020-12-01
oval:org.opensuse.security:def:59363	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:60622	P	Security update for python-SQLAlchemy (Important)	2020-12-01
oval:org.opensuse.security:def:59206	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:58945	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:60107	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60774	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:59671	P	Security update for apache2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25754	P	Security update for flash-player (Moderate)	2020-12-01
oval:org.opensuse.security:def:25264	P	Security update for memcached (Moderate)	2020-12-01
oval:org.opensuse.security:def:60695	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:59353	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:58955	P	Security update for postgresql94 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60604	P	Security update for ardana and crowbar (Important)	2020-12-01
oval:org.opensuse.security:def:59172	P	Security update for libvirt (Moderate)	2020-12-01
oval:org.opensuse.security:def:60835	P	Security update for python-cffi, python-cryptography (Moderate)	2020-12-01
oval:org.opensuse.security:def:59375	P	Security update for python-cffi, python-cryptography (Moderate)	2020-12-01
oval:org.opensuse.security:def:25696	P	Security update for sudo (Important)	2020-12-01
oval:org.opensuse.security:def:25056	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:59173	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25555	P	Security update for mariadb-100 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60785	P	Security update for apache-commons-httpclient (Important)	2020-12-01
oval:org.opensuse.security:def:24981	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:59907	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60564	P	vsftpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60706	P	Security update for virglrenderer (Important)	2020-12-01
oval:org.opensuse.security:def:59364	P	Security update for log4j (Important)	2020-12-01
oval:org.opensuse.security:def:58967	P	Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60853	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:59183	P	Security update for the Linux Kernel (Live Patch 26 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:26392	P	Security update for MozillaThunderbird (Important)	2020-12-01
oval:org.opensuse.security:def:25321	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60733	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:84317	P	Security update for ardana and crowbar (Important)	2019-07-17
oval:org.opensuse.security:def:83870	P	Security update for ardana and crowbar (Important)	2019-07-17
oval:org.opensuse.security:def:84306	P	Security update for python-Django (Moderate)	2018-10-29
oval:org.opensuse.security:def:83858	P	Security update for python-Django (Moderate)	2018-10-29
oval:com.ubuntu.bionic:def:201814574000	V	CVE-2018-14574 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-03
oval:com.ubuntu.bionic:def:2018145740000000	V	CVE-2018-14574 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-03
oval:com.ubuntu.trusty:def:201814574000	V	CVE-2018-14574 on Ubuntu 14.04 LTS (trusty) - medium.	2018-08-03
oval:com.ubuntu.xenial:def:2018145740000000	V	CVE-2018-14574 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-03
oval:com.ubuntu.xenial:def:201814574000	V	CVE-2018-14574 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-03

BACK