Executive Summary
Summary | |
---|---|
Title | Django vulnerabilities |
Informations | |||
---|---|---|---|
Name | USN-1040-1 | First vendor Publication | 2011-01-07 |
Vendor | Ubuntu | Last vendor Modification | 2011-01-07 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: Ubuntu 10.04 LTS: Ubuntu 10.10: In general, a standard system update will make all the necessary changes. Details follow: Adam Baldwin discovered that Django did not properly validate query string lookups. This could be exploited to provide an information leak to an attacker with admin privilieges. (CVE-2010-4534) Paul McMillan discovered that Django did not validate the length of the token used when generating a password reset. An attacker could exploit this to cause a denial of service via resource exhaustion. (CVE-2010-4535) |
Original Source
Url : http://www.ubuntu.com/usn/USN-1040-1 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13124 | |||
Oval ID: | oval:org.mitre.oval:def:13124 | ||
Title: | USN-1040-1 -- python-django vulnerabilities | ||
Description: | Adam Baldwin discovered that Django did not properly validate query string lookups. This could be exploited to provide an information leak to an attacker with admin privilieges. Paul McMillan discovered that Django did not validate the length of the token used when generating a password reset. An attacker could exploit this to cause a denial of service via resource exhaustion | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1040-1 CVE-2010-4534 CVE-2010-4535 | Version: | 5 |
Platform(s): | Ubuntu 10.10 Ubuntu 9.10 Ubuntu 10.04 | Product(s): | python-django |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-01-24 | Name : django -- multiple vulnerabilities File : nvt/freebsd_py23-django3.nasl |
2011-01-14 | Name : Fedora Update for Django FEDORA-2011-0096 File : nvt/gb_fedora_2011_0096_Django_fc13.nasl |
2011-01-14 | Name : Fedora Update for Django FEDORA-2011-0120 File : nvt/gb_fedora_2011_0120_Django_fc14.nasl |
2011-01-11 | Name : Ubuntu Update for python-django vulnerabilities USN-1040-1 File : nvt/gb_ubuntu_USN_1040_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70160 | Django django.contrib.auth Multiple Crafted Password Reset Token Remote DoS Django contains a flaw that may allow a remote denial of service. The issue is triggered when the 'django.contrib.auth' authentication support fails to properly restrict the maximum size of the base36 integer part of password reset tokens. This may be exploited by using multiple crafted password reset tokens to cause a denial of service via high CPU consumption. |
70159 | Django django.contrib.admin Admin Interface query String Information Disclosure Django contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when the 'django.contrib.admin' administrative interface support fails to properly filter lookup arguments supplied via the query string, which may disclose sensitive information to a remote attacker. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0096.nasl - Type : ACT_GATHER_INFO |
2011-01-14 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0120.nasl - Type : ACT_GATHER_INFO |
2011-01-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1040-1.nasl - Type : ACT_GATHER_INFO |
2010-12-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_14a37474138311e08a5800215c6a37bb.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:58:10 |
|