Executive Summary
Summary | |
---|---|
Title | python-django security update |
Informations | |||
---|---|---|---|
Name | DSA-3835 | First vendor Publication | 2017-04-26 |
Vendor | Debian | Last vendor Modification | 2017-04-26 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities were discovered in Django, a high-level Python web development framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database. CVE-2016-9014 Aymeric Augustin discovered that Django does not properly validate the Host header against settings.ALLOWED_HOSTS when the debug setting is enabled. A remote attacker can take advantage of this flaw to perform DNS rebinding attacks. CVE-2017-7233 It was discovered that is_safe_url() does not properly handle certain numeric URLs as safe. A remote attacker can take advantage of this flaw to perform XSS attacks or to use a Django server as an open redirect. CVE-2017-7234 Phithon from Chaitin Tech discovered an open redirect vulnerability in the django.views.static.serve() view. Note that this view is not intended for production use. For the stable distribution (jessie), these problems have been fixed in version 1.7.11-1+deb8u2. We recommend that you upgrade your python-django packages. |
Original Source
Url : http://www.debian.org/security/2017/dsa-3835 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') (CWE/SANS Top 25) |
25 % | CWE-798 | Use of Hard-coded Credentials (CWE/SANS Top 25) |
25 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-07-17 | Name : The remote Fedora host is missing a security update. File : fedora_2017-f997e46fa7.nasl - Type : ACT_GATHER_INFO |
2017-04-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3835.nasl - Type : ACT_GATHER_INFO |
2017-04-24 | Name : The remote Fedora host is missing a security update. File : fedora_2017-c0ef6054d7.nasl - Type : ACT_GATHER_INFO |
2017-04-06 | Name : The remote Debian host is missing a security update. File : debian_DLA-885.nasl - Type : ACT_GATHER_INFO |
2017-04-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_dc880d6c195d11e78c630800277dcc69.nasl - Type : ACT_GATHER_INFO |
2017-04-05 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-3254-1.nasl - Type : ACT_GATHER_INFO |
2016-11-21 | Name : The remote Fedora host is missing a security update. File : fedora_2016-d4571bf555.nasl - Type : ACT_GATHER_INFO |
2016-11-15 | Name : The remote Fedora host is missing a security update. File : fedora_2016-3eb5a55123.nasl - Type : ACT_GATHER_INFO |
2016-11-03 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_cb11665179db4c0993a2c38f9df46724.nasl - Type : ACT_GATHER_INFO |
2016-11-02 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-3115-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-04-28 13:25:10 |
|
2017-04-27 00:22:28 |
|