Lucene search
Ubuntu Security Notice (C) 2018-2023 Canonical, Inc. / NASL script (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3726-1.NASLHistoryAug 02, 2018 - 12:00 a.m.
Ubuntu 18.04 LTS : Django vulnerability (USN-3726-1)
2018-08-0200:00:00
Ubuntu Security Notice (C) 2018-2023 Canonical, Inc. / NASL script (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
Andreas Hug discovered that Django contained an open redirect in CommonMiddleware. A remote attacker could possibly use this issue to perform phishing attacks.
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3726-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(111511);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/21");
script_cve_id("CVE-2018-14574");
script_xref(name:"USN", value:"3726-1");
script_name(english:"Ubuntu 18.04 LTS : Django vulnerability (USN-3726-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
script_set_attribute(attribute:"description", value:
"Andreas Hug discovered that Django contained an open redirect in
CommonMiddleware. A remote attacker could possibly use this issue to
perform phishing attacks.
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3726-1");
script_set_attribute(attribute:"solution", value:
"Update the affected python-django, python-django-common and / or python3-django packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14574");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/03");
script_set_attribute(attribute:"patch_publication_date", value:"2018/08/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/02");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-django");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-django-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-django");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2023 Canonical, Inc. / NASL script (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '18.04', 'pkgname': 'python-django', 'pkgver': '1:1.11.11-1ubuntu1.1'},
{'osver': '18.04', 'pkgname': 'python-django-common', 'pkgver': '1:1.11.11-1ubuntu1.1'},
{'osver': '18.04', 'pkgname': 'python3-django', 'pkgver': '1:1.11.11-1ubuntu1.1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python-django / python-django-common / python3-django');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| canonical | ubuntu_linux | python-django-common | p-cpe:/a:canonical:ubuntu_linux:python-django-common |
| canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:lts |
| canonical | ubuntu_linux | python-django | p-cpe:/a:canonical:ubuntu_linux:python-django |
| canonical | ubuntu_linux | python3-django | p-cpe:/a:canonical:ubuntu_linux:python3-django |
Related
suse
suse
Security update for python-Django1 (important)
2018-09-22 09:30:22
Security update for python-Django (moderate)
2018-08-14 21:08:37
Security update for python-Django (moderate)
2018-09-22 09:15:44
cve
cve
CVE-2018-14574
2018-08-03 17:29:00
github
github
Django open redirect
2018-10-04 21:58:46
openvas
openvas
openSUSE: Security Advisory for python-Django (openSUSE-SU-2018:2488-1)
2018-10-26 00:00:00
Debian: Security Advisory (DSA-4264-1)
2018-08-04 00:00:00
Fedora Update for python-django FEDORA-2018-6fa1017c1d
2019-05-07 00:00:00
osv
osv
PYSEC-2018-2
2018-08-03 17:29:00
python-django - security update
2018-08-05 00:00:00
CVE-2018-14574
2018-08-03 17:29:00
nessus
nessus
openSUSE Security Update : python-Django (openSUSE-2019-614)
2019-03-27 00:00:00
openSUSE Security Update : python-Django (openSUSE-2018-914)
2018-08-28 00:00:00
Fedora 28 : python2-django1.11 (2018-0c85690ba7)
2019-01-03 00:00:00
veracode
veracode
Open Redirect
2018-08-02 07:23:55
redhatcve
redhatcve
CVE-2018-14574
2018-08-02 02:49:03
archlinux
archlinux
[ASA-201808-3] python2-django: open redirect
2018-08-03 00:00:00
[ASA-201808-1] python-django: open redirect
2018-08-01 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: python2-django1.11-1.11.15-2.fc28
2018-08-14 21:13:31
[SECURITY] Fedora 29 Update: python-django-2.0.9-1.fc29
2018-11-03 00:02:47
[SECURITY] Fedora 28 Update: python2-django1.11-1.11.20-1.fc28
2019-03-20 21:18:09
alpinelinux
alpinelinux
CVE-2018-14574
2018-08-03 17:29:00
ubuntu
ubuntu
Django vulnerability
2018-08-01 00:00:00
prion
prion
Open redirect
2018-08-03 17:29:00
debian
debian
[SECURITY] [DSA 4264-1] python-django security update
2018-08-05 10:31:21
ubuntucve
ubuntucve
CVE-2018-14574
2018-08-01 00:00:00
debiancve
debiancve
CVE-2018-14574
2018-08-03 17:29:00
nuclei
nuclei
Django - Open Redirect
2021-02-01 13:26:05
redhat
redhat
altlinux
altlinux
Related for UBUNTU_USN-3726-1.NASL