First published: Mon Sep 16 2013(Updated: )
Directory traversal vulnerability in Django 1.4.x before 1.4.7, 1.5.x before 1.5.3, and 1.6.x before 1.6 beta 3 allows remote attackers to read arbitrary files via a file path in the ALLOWED_INCLUDE_ROOTS setting followed by a .. (dot dot) in a ssi template tag.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/django | >=1.5<1.5.3 | 1.5.3 |
pip/django | >=1.4<1.4.7 | 1.4.7 |
Djangoproject Django | =1.4 | |
Djangoproject Django | =1.4.1 | |
Djangoproject Django | =1.4.2 | |
Djangoproject Django | =1.4.4 | |
Djangoproject Django | =1.4.5 | |
Djangoproject Django | =1.4.6 | |
Djangoproject Django | =1.5 | |
Djangoproject Django | =1.5-alpha | |
Djangoproject Django | =1.5-beta | |
Djangoproject Django | =1.5.1 | |
Djangoproject Django | =1.6-beta1 | |
Djangoproject Django | =1.6-beta2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.