Lucene search

K
githubGitHub Advisory DatabaseGHSA-RVQ6-MRPV-M6RM
HistoryMay 17, 2022 - 3:07 a.m.

Code Injection in Django

2022-05-1703:07:04
CWE-94
GitHub Advisory Database
github.com
13
django
code injection
urlresolvers
remote attackers
python modules

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.022

Percentile

89.5%

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a “dotted Python path.”

Affected configurations

Vulners
Node
djangoRange<1.6.3
OR
djangoRange<1.5.6
OR
djangoRange<1.4.11
VendorProductVersionCPE
*django*cpe:2.3:a:*:django:*:*:*:*:*:*:*:*

CVSS2

5.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

EPSS

0.022

Percentile

89.5%