CVE-2014-3730: Input Validation
First published: Fri May 16 2014(Updated: )
The `django.util.http.is_safe_url` function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
Credit: security@debian.org security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Canonical Ubuntu Linux | =10.04 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =12.10 | |
| Canonical Ubuntu Linux | =13.10 | |
| Canonical Ubuntu Linux | =14.04 | |
| Djangoproject Django | =1.4 | |
| Djangoproject Django | =1.4.1 | |
| Djangoproject Django | =1.4.2 | |
| Djangoproject Django | =1.4.4 | |
| Djangoproject Django | =1.4.5 | |
| Djangoproject Django | =1.4.6 | |
| Djangoproject Django | =1.4.7 | |
| Djangoproject Django | =1.4.8 | |
| Djangoproject Django | =1.4.9 | |
| Djangoproject Django | =1.4.10 | |
| Djangoproject Django | =1.4.11 | |
| Djangoproject Django | =1.4.12 | |
| Djangoproject Django | =1.7-beta1 | |
| Djangoproject Django | =1.7-beta2 | |
| Djangoproject Django | =1.7-beta3 | |
| openSUSE openSUSE | =12.3 | |
| openSUSE openSUSE | =13.1 | |
| Djangoproject Django | =1.6 | |
| Djangoproject Django | =1.6-beta1 | |
| Djangoproject Django | =1.6-beta2 | |
| Djangoproject Django | =1.6-beta3 | |
| Djangoproject Django | =1.6-beta4 | |
| Djangoproject Django | =1.6.1 | |
| Djangoproject Django | =1.6.2 | |
| Djangoproject Django | =1.6.3 | |
| Djangoproject Django | =1.6.4 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Djangoproject Django | =1.5 | |
| Djangoproject Django | =1.5-alpha | |
| Djangoproject Django | =1.5-beta | |
| Djangoproject Django | =1.5.1 | |
| Djangoproject Django | =1.5.2 | |
| Djangoproject Django | =1.5.3 | |
| Djangoproject Django | =1.5.4 | |
| Djangoproject Django | =1.5.5 | |
| Djangoproject Django | =1.5.6 | |
| Djangoproject Django | =1.5.7 | |
| pip/Django | >=1.7a1<1.7b4 | 1.7b4 |
| pip/Django | >=1.6<1.6.5 | 1.6.5 |
| pip/Django | >=1.5<1.5.8 | 1.5.8 |
| pip/Django | >=1.4<1.4.13 | 1.4.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-3730
- https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
- http://ubuntu.com/usn/usn-2212-1
- http://www.debian.org/security/2014/dsa-2934
- http://www.openwall.com/lists/oss-security/2014/05/14/10
- http://www.openwall.com/lists/oss-security/2014/05/15/3
- https://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3
- https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df
- https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d
- https://web.archive.org/web/20200228171223/http://www.securityfocus.com/bid/67410
- https://github.com/advisories/GHSA-vq3h-3q7v-9prw (Advisory)
- http://secunia.com/advisories/61281
- http://www.securityfocus.com/bid/67410
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-20.yaml
- https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued
- agent/author
- agent/type
- agent/weakness
- agent/remedy
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vq3h-3q7v-9prw
- alias/CVE-2014-3730
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/softwarecombine
- agent/tags
- agent/trending
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/10.04
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/12.10
- version/canonical ubuntu linux/13.10
- version/canonical ubuntu linux/14.04
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.4
- version/djangoproject django/1.4.1
- version/djangoproject django/1.4.2
- version/djangoproject django/1.4.4
- version/djangoproject django/1.4.5
- version/djangoproject django/1.4.6
- version/djangoproject django/1.4.7
- version/djangoproject django/1.4.8
- version/djangoproject django/1.4.9
- version/djangoproject django/1.4.10
- version/djangoproject django/1.4.11
- version/djangoproject django/1.4.12
- version/djangoproject django/1.7-beta1
- version/djangoproject django/1.7-beta2
- version/djangoproject django/1.7-beta3
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/12.3
- version/opensuse opensuse/13.1
- version/djangoproject django/1.6
- version/djangoproject django/1.6-beta1
- version/djangoproject django/1.6-beta2
- version/djangoproject django/1.6-beta3
- version/djangoproject django/1.6-beta4
- version/djangoproject django/1.6.1
- version/djangoproject django/1.6.2
- version/djangoproject django/1.6.3
- version/djangoproject django/1.6.4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/djangoproject django/1.5
- version/djangoproject django/1.5-alpha
- version/djangoproject django/1.5-beta
- version/djangoproject django/1.5.1
- version/djangoproject django/1.5.2
- version/djangoproject django/1.5.3
- version/djangoproject django/1.5.4
- version/djangoproject django/1.5.5
- version/djangoproject django/1.5.6
- version/djangoproject django/1.5.7
- package-manager/pip