Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-1560-1.NASL
HistorySep 11, 2012 - 12:00 a.m.

Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : python-django vulnerabilities (USN-1560-1)

2012-09-1100:00:00
Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
JSON

It was discovered that Django incorrectly validated the scheme of a redirect target. If a user were tricked into opening a specially crafted URL, an attacker could possibly exploit this to conduct cross-site scripting (XSS) attacks. (CVE-2012-3442)

It was discovered that Django incorrectly handled validating certain images. A remote attacker could use this flaw to cause the server to consume memory, leading to a denial of service. (CVE-2012-3443)

Jeroen Dekkers discovered that Django incorrectly handled certain image dimensions. A remote attacker could use this flaw to cause the server to consume resources, leading to a denial of service.
(CVE-2012-3444).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-1560-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62038);
  script_version("1.7");
  script_cvs_date("Date: 2019/09/19 12:54:28");

  script_cve_id("CVE-2012-3442", "CVE-2012-3443", "CVE-2012-3444");
  script_bugtraq_id(54742);
  script_xref(name:"USN", value:"1560-1");

  script_name(english:"Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : python-django vulnerabilities (USN-1560-1)");
  script_summary(english:"Checks dpkg output for updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Ubuntu host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that Django incorrectly validated the scheme of a
redirect target. If a user were tricked into opening a specially
crafted URL, an attacker could possibly exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2012-3442)

It was discovered that Django incorrectly handled validating certain
images. A remote attacker could use this flaw to cause the server to
consume memory, leading to a denial of service. (CVE-2012-3443)

Jeroen Dekkers discovered that Django incorrectly handled certain
image dimensions. A remote attacker could use this flaw to cause the
server to consume resources, leading to a denial of service.
(CVE-2012-3444).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/1560-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected python-django package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-django");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:10.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:11.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/09/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(10\.04|11\.04|11\.10|12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 10.04 / 11.04 / 11.10 / 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"10.04", pkgname:"python-django", pkgver:"1.1.1-2ubuntu1.5")) flag++;
if (ubuntu_check(osver:"11.04", pkgname:"python-django", pkgver:"1.2.5-1ubuntu1.2")) flag++;
if (ubuntu_check(osver:"11.10", pkgname:"python-django", pkgver:"1.3-2ubuntu1.3")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"python-django", pkgver:"1.3.1-4ubuntu1.2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-django");
}
VendorProductVersionCPE
canonicalubuntu_linuxpython-djangop-cpe:/a:canonical:ubuntu_linux:python-django
canonicalubuntu_linux10.04cpe:/o:canonical:ubuntu_linux:10.04:-:lts
canonicalubuntu_linux11.04cpe:/o:canonical:ubuntu_linux:11.04
canonicalubuntu_linux11.10cpe:/o:canonical:ubuntu_linux:11.10
canonicalubuntu_linux12.04cpe:/o:canonical:ubuntu_linux:12.04:-:lts

Related

openvas 20
nessus 6
seebug 1
ubuntu 1
fedora 6
securityvulns 2
debian 1
osv 7
freebsd 1
cve 3
debiancve 3
ubuntucve 3
prion 3
github 3
gitlab 3
openvas
openvas
Fedora Update for Django FEDORA-2012-20224
2012-12-26 00:00:00
FreeBSD Ports: py26-django, py27-django
2012-08-10 00:00:00
Fedora Update for Django FEDORA-2012-11415
2012-08-30 00:00:00
nessus
nessus
FreeBSD : django -- multiple vulnerabilities (f01292a0-db3c-11e1-a84b-00e0814cab4e)
2012-08-01 00:00:00
Fedora 16 : Django-1.3.2-1.fc16 (2012-11416)
2012-08-13 00:00:00
Mandriva Linux Security Advisory : python-django (MDVSA-2012:143)
2012-09-06 00:00:00
seebug
seebug
Djangoθ·¨η«™θ„šζœ¬ζ‰§θ‘Œε’ŒδΈ€δΈͺζ‹’η»ζœεŠ‘ζΌζ΄ž
2012-08-03 00:00:00
ubuntu
ubuntu
Django vulnerabilities
2012-09-10 00:00:00
fedora
fedora
[SECURITY] Fedora 16 Update: Django-1.3.2-1.fc16
2012-08-10 22:34:03
[SECURITY] Fedora 17 Update: Django-1.4.3-1.fc17
2012-12-20 03:20:48
[SECURITY] Fedora 17 Update: Django-1.4.1-1.fc17
2012-08-10 22:27:19
securityvulns
securityvulns
[ MDVSA-2012:143 ] python-django
2012-09-03 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-09-03 00:00:00
debian
debian
[SECURITY] [DSA 2529-1] python-django security update
2012-08-14 20:05:21
osv
osv
python-django - several
2012-08-14 00:00:00
Django Allows Redirect via Data URL
2022-05-17 05:12:01
PYSEC-2012-4
2012-07-31 17:55:00
freebsd
freebsd
django -- multiple vulnerabilities
2012-07-30 00:00:00
cve
cve
CVE-2012-3442
2012-07-31 17:55:00
CVE-2012-3444
2012-07-31 17:55:00
CVE-2012-3443
2012-07-31 17:55:00
debiancve
debiancve
CVE-2012-3442
2012-07-31 17:55:00
CVE-2012-3444
2012-07-31 17:55:00
CVE-2012-3443
2012-07-31 17:55:00
ubuntucve
ubuntucve
CVE-2012-3444
2012-07-31 00:00:00
CVE-2012-3442
2012-07-31 00:00:00
CVE-2012-3443
2012-07-31 00:00:00
prion
prion
Design/Logic Flaw
2012-07-31 17:55:00
Cross site scripting
2012-07-31 17:55:00
Design/Logic Flaw
2012-07-31 17:55:00
github
github
Django Allows Redirect via Data URL
2022-05-17 05:12:01
Django vulnerable to Improper Restriction of Operations within the Bounds of a Memory Buffer
2022-05-17 05:12:01
Django Image Field Vulnerable to Image Decompression Bombs
2022-05-17 05:12:01
gitlab
gitlab
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2022-05-17 00:00:00
Improper Restriction of Operations within the Bounds of a Memory Buffer
2022-05-17 00:00:00
Improper Input Validation
2022-05-17 00:00:00
JSON
Related for UBUNTU_USN-1560-1.NASL
openvas20nessus6seebug1ubuntu1fedora6securityvulns2debian1osv7freebsd1cve3debiancve3ubuntucve3prion3github3gitlab3