First published: Tue Aug 26 2014(Updated: )
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.
Credit: security@debian.org security@debian.org
Affected Software | Affected Version | How to fix |
---|---|---|
pip/Django | >=1.7a1<1.7c3 | 1.7c3 |
pip/Django | >=1.6<1.6.6 | 1.6.6 |
pip/Django | >=1.5<1.5.9 | 1.5.9 |
pip/Django | <1.4.14 | 1.4.14 |
SUSE Linux | =12.3 | |
SUSE Linux | =13.1 | |
Django | =1.5 | |
Django | =1.5-alpha | |
Django | =1.5-beta | |
Django | =1.5.1 | |
Django | =1.5.2 | |
Django | =1.5.3 | |
Django | =1.5.4 | |
Django | =1.5.5 | |
Django | =1.5.6 | |
Django | =1.5.7 | |
Django | =1.5.8 | |
Django | =1.6 | |
Django | =1.6-beta1 | |
Django | =1.6-beta2 | |
Django | =1.6-beta3 | |
Django | =1.6-beta4 | |
Django | =1.6.1 | |
Django | =1.6.2 | |
Django | =1.6.3 | |
Django | =1.6.4 | |
Django | =1.6.5 | |
Django | <=1.4.13 | |
Django | =1.4 | |
Django | =1.4.1 | |
Django | =1.4.2 | |
Django | =1.4.4 | |
Django | =1.4.5 | |
Django | =1.4.6 | |
Django | =1.4.7 | |
Django | =1.4.8 | |
Django | =1.4.9 | |
Django | =1.4.10 | |
Django | =1.4.11 | |
Django | =1.4.12 | |
Django | =1.7-beta1 | |
Django | =1.7-beta2 | |
Django | =1.7-beta3 | |
Django | =1.7-beta4 | |
Django | =1.7-rc1 | |
Django | =1.7-rc2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2014-0483 has a high severity level as it allows remote authenticated users to access sensitive information through the administrative interface.
To fix CVE-2014-0483, upgrade to Django versions 1.7c3 or higher, 1.6.6, 1.5.9, or 1.4.14.
CVE-2014-0483 affects Django versions before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 earlier than release candidate 3.
CVE-2014-0483 is a vulnerability in the administrative interface of Django that fails to check model relationships.
Yes, remote authenticated users can exploit CVE-2014-0483 to obtain sensitive information.