CVE-2014-3730: Input Validation
First published: Fri May 16 2014(Updated: )
The `django.util.http.is_safe_url` function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Django | >=1.7a1<1.7b4 | 1.7b4 |
| pip/Django | >=1.6<1.6.5 | 1.6.5 |
| pip/Django | >=1.5<1.5.8 | 1.5.8 |
| pip/Django | >=1.4<1.4.13 | 1.4.13 |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| Ubuntu Linux | =13.10 | |
| Ubuntu Linux | =14.04 | |
| djangoproject Django | =1.4 | |
| djangoproject Django | =1.4.1 | |
| djangoproject Django | =1.4.2 | |
| djangoproject Django | =1.4.4 | |
| djangoproject Django | =1.4.5 | |
| djangoproject Django | =1.4.6 | |
| djangoproject Django | =1.4.7 | |
| djangoproject Django | =1.4.8 | |
| djangoproject Django | =1.4.9 | |
| djangoproject Django | =1.4.10 | |
| djangoproject Django | =1.4.11 | |
| djangoproject Django | =1.4.12 | |
| djangoproject Django | =1.7-beta1 | |
| djangoproject Django | =1.7-beta2 | |
| djangoproject Django | =1.7-beta3 | |
| openSUSE | =12.3 | |
| openSUSE | =13.1 | |
| djangoproject Django | =1.6 | |
| djangoproject Django | =1.6-beta1 | |
| djangoproject Django | =1.6-beta2 | |
| djangoproject Django | =1.6-beta3 | |
| djangoproject Django | =1.6-beta4 | |
| djangoproject Django | =1.6.1 | |
| djangoproject Django | =1.6.2 | |
| djangoproject Django | =1.6.3 | |
| djangoproject Django | =1.6.4 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 | |
| djangoproject Django | =1.5 | |
| djangoproject Django | =1.5-alpha | |
| djangoproject Django | =1.5-beta | |
| djangoproject Django | =1.5.1 | |
| djangoproject Django | =1.5.2 | |
| djangoproject Django | =1.5.3 | |
| djangoproject Django | =1.5.4 | |
| djangoproject Django | =1.5.5 | |
| djangoproject Django | =1.5.6 | |
| djangoproject Django | =1.5.7 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.10 | |
| Ubuntu | =14.04 | |
| Django | =1.4 | |
| Django | =1.4.1 | |
| Django | =1.4.2 | |
| Django | =1.4.4 | |
| Django | =1.4.5 | |
| Django | =1.4.6 | |
| Django | =1.4.7 | |
| Django | =1.4.8 | |
| Django | =1.4.9 | |
| Django | =1.4.10 | |
| Django | =1.4.11 | |
| Django | =1.4.12 | |
| Django | =1.7-beta1 | |
| Django | =1.7-beta2 | |
| Django | =1.7-beta3 | |
| Django | =1.6 | |
| Django | =1.6-beta1 | |
| Django | =1.6-beta2 | |
| Django | =1.6-beta3 | |
| Django | =1.6-beta4 | |
| Django | =1.6.1 | |
| Django | =1.6.2 | |
| Django | =1.6.3 | |
| Django | =1.6.4 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Django | =1.5 | |
| Django | =1.5-alpha | |
| Django | =1.5-beta | |
| Django | =1.5.1 | |
| Django | =1.5.2 | |
| Django | =1.5.3 | |
| Django | =1.5.4 | |
| Django | =1.5.5 | |
| Django | =1.5.6 | |
| Django | =1.5.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-3730
- https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued/
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
- http://ubuntu.com/usn/usn-2212-1
- http://www.debian.org/security/2014/dsa-2934
- http://www.openwall.com/lists/oss-security/2014/05/14/10
- http://www.openwall.com/lists/oss-security/2014/05/15/3
- https://github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3
- https://github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574df
- https://github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6d
- https://web.archive.org/web/20200228171223/http://www.securityfocus.com/bid/67410
- https://github.com/advisories/GHSA-vq3h-3q7v-9prw (Advisory)
- http://secunia.com/advisories/61281
- http://www.securityfocus.com/bid/67410
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-20.yaml
- https://www.djangoproject.com/weblog/2014/may/14/security-releases-issued
Frequently Asked Questions
What is the severity of CVE-2014-3730?
CVE-2014-3730 has been rated as a medium severity vulnerability due to its potential to facilitate open redirect attacks.
How do I fix CVE-2014-3730?
To fix CVE-2014-3730, upgrade Django to version 1.4.13, 1.5.8, 1.6.5, or 1.7b4 or later.
Which versions of Django are affected by CVE-2014-3730?
Django versions 1.4 to 1.4.12, 1.5 to 1.5.7, 1.6 to 1.6.4, and 1.7 beta versions prior to 1.7b4 are affected by CVE-2014-3730.
What type of attack does CVE-2014-3730 allow?
CVE-2014-3730 allows attackers to perform open redirect attacks due to improper URL validation.
What systems are impacted by CVE-2014-3730?
CVE-2014-3730 affects Django running on various operating systems, including Ubuntu and Debian, specifically the versions mentioned.
- agent/type
- agent/weakness
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vq3h-3q7v-9prw
- alias/CVE-2014-3730
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- version/ubuntu linux/13.10
- version/ubuntu linux/14.04
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.4
- version/djangoproject django/1.4.1
- version/djangoproject django/1.4.2
- version/djangoproject django/1.4.4
- version/djangoproject django/1.4.5
- version/djangoproject django/1.4.6
- version/djangoproject django/1.4.7
- version/djangoproject django/1.4.8
- version/djangoproject django/1.4.9
- version/djangoproject django/1.4.10
- version/djangoproject django/1.4.11
- version/djangoproject django/1.4.12
- version/djangoproject django/1.7-beta1
- version/djangoproject django/1.7-beta2
- version/djangoproject django/1.7-beta3
- vendor/opensuse
- canonical/opensuse
- version/opensuse/12.3
- version/opensuse/13.1
- version/djangoproject django/1.6
- version/djangoproject django/1.6-beta1
- version/djangoproject django/1.6-beta2
- version/djangoproject django/1.6-beta3
- version/djangoproject django/1.6-beta4
- version/djangoproject django/1.6.1
- version/djangoproject django/1.6.2
- version/djangoproject django/1.6.3
- version/djangoproject django/1.6.4
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0
- version/djangoproject django/1.5
- version/djangoproject django/1.5-alpha
- version/djangoproject django/1.5-beta
- version/djangoproject django/1.5.1
- version/djangoproject django/1.5.2
- version/djangoproject django/1.5.3
- version/djangoproject django/1.5.4
- version/djangoproject django/1.5.5
- version/djangoproject django/1.5.6
- version/djangoproject django/1.5.7
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.10
- version/ubuntu/14.04
- canonical/django
- version/django/1.4
- version/django/1.4.1
- version/django/1.4.2
- version/django/1.4.4
- version/django/1.4.5
- version/django/1.4.6
- version/django/1.4.7
- version/django/1.4.8
- version/django/1.4.9
- version/django/1.4.10
- version/django/1.4.11
- version/django/1.4.12
- version/django/1.7-beta1
- version/django/1.7-beta2
- version/django/1.7-beta3
- version/django/1.6
- version/django/1.6-beta1
- version/django/1.6-beta2
- version/django/1.6-beta3
- version/django/1.6-beta4
- version/django/1.6.1
- version/django/1.6.2
- version/django/1.6.3
- version/django/1.6.4
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- version/django/1.5
- version/django/1.5-alpha
- version/django/1.5-beta
- version/django/1.5.1
- version/django/1.5.2
- version/django/1.5.3
- version/django/1.5.4
- version/django/1.5.5
- version/django/1.5.6
- version/django/1.5.7