Lucene search

[email protected]NVD:CVE-2017-7233

HistoryApr 04, 2017 - 5:59 p.m.

CVE-2017-7233

2017-04-0417:59:00

CWE-601

[email protected]

web.nvd.nist.gov

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.7%

JSON

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs “safe” when they shouldn’t be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Affected configurations

NVD

Node

djangoprojectdjangoMatch1.8.0

djangoprojectdjangoMatch1.8.0a1

djangoprojectdjangoMatch1.8.0b1

djangoprojectdjangoMatch1.8.0b2

djangoprojectdjangoMatch1.8.0c1

djangoprojectdjangoMatch1.8.1

djangoprojectdjangoMatch1.8.2

djangoprojectdjangoMatch1.8.3

djangoprojectdjangoMatch1.8.4

djangoprojectdjangoMatch1.8.5

djangoprojectdjangoMatch1.8.6

djangoprojectdjangoMatch1.8.7

djangoprojectdjangoMatch1.8.8

djangoprojectdjangoMatch1.8.9

djangoprojectdjangoMatch1.8.10

djangoprojectdjangoMatch1.8.11

djangoprojectdjangoMatch1.8.12

djangoprojectdjangoMatch1.8.13

djangoprojectdjangoMatch1.8.14

djangoprojectdjangoMatch1.8.15

djangoprojectdjangoMatch1.8.16

djangoprojectdjangoMatch1.8.17

djangoprojectdjangoMatch1.9

djangoprojectdjangoMatch1.9a1

djangoprojectdjangoMatch1.9b1

djangoprojectdjangoMatch1.9rc1

djangoprojectdjangoMatch1.9rc2

djangoprojectdjangoMatch1.9.1

djangoprojectdjangoMatch1.9.2

djangoprojectdjangoMatch1.9.3

djangoprojectdjangoMatch1.9.4

djangoprojectdjangoMatch1.9.5

djangoprojectdjangoMatch1.9.6

djangoprojectdjangoMatch1.9.7

djangoprojectdjangoMatch1.9.8

djangoprojectdjangoMatch1.9.9

djangoprojectdjangoMatch1.9.10

djangoprojectdjangoMatch1.9.11

djangoprojectdjangoMatch1.9.12

djangoprojectdjangoMatch1.10.0

djangoprojectdjangoMatch1.10.0a1

djangoprojectdjangoMatch1.10.0b1

djangoprojectdjangoMatch1.10.0rc1

djangoprojectdjangoMatch1.10.1

djangoprojectdjangoMatch1.10.2

djangoprojectdjangoMatch1.10.3

djangoprojectdjangoMatch1.10.4

djangoprojectdjangoMatch1.10.5

djangoprojectdjangoMatch1.10.6

References

www.debian.org/security/2017/dsa-3835

www.securityfocus.com/bid/97406

www.securitytracker.com/id/1038177

access.redhat.com/errata/RHSA-2017:1445

access.redhat.com/errata/RHSA-2017:1451

access.redhat.com/errata/RHSA-2017:1462

access.redhat.com/errata/RHSA-2017:1470

access.redhat.com/errata/RHSA-2017:1596

access.redhat.com/errata/RHSA-2017:3093

access.redhat.com/errata/RHSA-2018:2927

www.djangoproject.com/weblog/2017/apr/04/security-releases/

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.3 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.7%

JSON

Related for NVD:CVE-2017-7233

nessus12 fedora2 ubuntucve1 osv5 cvelist1 redhat7 seebug1 openvas6 debiancve1 github1 cve1 veracode2 alpinelinux1 debian3 myhack581 prion1 archlinux2 mageia1 altlinux2 freebsd1 ubuntu1