Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2016-2512 (GCVE-0-2016-2512)
Vulnerability from cvelistv5
Published
2016-04-08 15:00
Modified
2024-08-05 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:20.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2016:0506",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"name": "1035152",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1035152"
},
{
"name": "83879",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/83879"
},
{
"name": "RHSA-2016:0504",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"name": "DSA-3544",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"name": "RHSA-2016:0502",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"name": "USN-2915-3",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "USN-2915-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"name": "RHSA-2016:0505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"name": "USN-2915-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2016:0506",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"name": "1035152",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1035152"
},
{
"name": "83879",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/83879"
},
{
"name": "RHSA-2016:0504",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"name": "DSA-3544",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"name": "RHSA-2016:0502",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"name": "USN-2915-3",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "USN-2915-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"name": "RHSA-2016:0505",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"name": "USN-2915-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2512",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2016:0506",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"name": "1035152",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035152"
},
{
"name": "83879",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/83879"
},
{
"name": "RHSA-2016:0504",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"name": "DSA-3544",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"name": "RHSA-2016:0502",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"name": "USN-2915-3",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "USN-2915-2",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"name": "RHSA-2016:0505",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"name": "USN-2915-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"name": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0",
"refsource": "CONFIRM",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2512",
"datePublished": "2016-04-08T15:00:00",
"dateReserved": "2016-02-19T00:00:00",
"dateUpdated": "2024-08-05T23:32:20.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2016-2512\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-04-08T15:59:06.183\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\\\@attacker.com.\"},{\"lang\":\"es\",\"value\":\"La funci\u00f3n utils.http.is_safe_url en Django en versiones anteriores a 1.8.10 y 1.9.x en versiones anteriores a 1.9.3 permite a atacantes remotos redirigir a usuarios a p\u00e1ginas web arbitrarias y llevar a cabo ataques de phishing o posiblemente llevar a cabo ataques de XSS a trav\u00e9s de una URL que contiene autenticaci\u00f3n b\u00e1sica, seg\u00fan lo demostrado por http://mysite.example.com\\\\@attacker.com.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99A5BF6D-631B-4C8E-9868-579BD79100C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"29C40BAC-6DF3-4EA2-A65A-86462DDD8723\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B754401-8503-4553-853F-4F6BCD2D2FF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"019C26C7-EF1F-45BB-934E-521E2E64452E\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0502.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0504.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0505.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0506.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3544\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/83879\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1035152\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-1\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-2\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-3\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.djangoproject.com/weblog/2016/mar/01/security-releases/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0502.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0504.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0505.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0506.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.debian.org/security/2016/dsa-3544\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/83879\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1035152\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2915-3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.djangoproject.com/weblog/2016/mar/01/security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
rhsa-2016:0503
Vulnerability from csaf_redhat
Published
2016-03-24 01:10
Modified
2025-08-03 14:29
Summary
Red Hat Security Advisory: python-django security update
Notes
Topic
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)\n\n* A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)\n\nRed Hat would like to thank the Django project for reporting these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0503",
"url": "https://access.redhat.com/errata/RHSA-2016:0503"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0503.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-08-03T14:29:20+00:00",
"generator": {
"date": "2025-08-03T14:29:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2016:0503",
"initial_release_date": "2016-03-24T01:10:21+00:00",
"revision_history": [
{
"date": "2016-03-24T01:10:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-03-24T01:10:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-03T14:29:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-OPTOOLS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-optools:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.src",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.src",
"product_id": "python-django-0:1.6.11-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-OPTOOLS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-OPTOOLS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0-OPTOOLS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2512",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311431"
}
],
"notes": [
{
"category": "description",
"text": "An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "RHBZ#1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2512",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0503"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth"
},
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2513",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311438"
}
],
"notes": [
{
"category": "description",
"text": "A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: User enumeration through timing difference on password hasher work factor upgrade",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "RHBZ#1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0503"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-7.0-OPTOOLS:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: User enumeration through timing difference on password hasher work factor upgrade"
}
]
}
rhsa-2016:0504
Vulnerability from csaf_redhat
Published
2016-03-24 01:10
Modified
2025-08-03 14:29
Summary
Red Hat Security Advisory: python-django security update
Notes
Topic
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)\n\n* A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)\n\nRed Hat would like to thank the Django project for reporting these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0504",
"url": "https://access.redhat.com/errata/RHSA-2016:0504"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0504.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-08-03T14:29:15+00:00",
"generator": {
"date": "2025-08-03T14:29:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2016:0504",
"initial_release_date": "2016-03-24T01:10:13+00:00",
"revision_history": [
{
"date": "2016-03-24T01:10:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-03-24T01:10:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-03T14:29:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:7::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.11-1.el7ost.noarch",
"product": {
"name": "python-django-0:1.8.11-1.el7ost.noarch",
"product_id": "python-django-0:1.8.11-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.11-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.8.11-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-doc-0:1.8.11-1.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.8.11-1.el7ost.noarch",
"product_id": "python-django-doc-0:1.8.11-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.8.11-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.8.11-1.el7ost.src",
"product": {
"name": "python-django-0:1.8.11-1.el7ost.src",
"product_id": "python-django-0:1.8.11-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.8.11-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.11-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch"
},
"product_reference": "python-django-0:1.8.11-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.8.11-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src"
},
"product_reference": "python-django-0:1.8.11-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.8.11-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.8.11-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7",
"product_id": "7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.8.11-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-7.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2512",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311431"
}
],
"notes": [
{
"category": "description",
"text": "An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "RHBZ#1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2512",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0504"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth"
},
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2513",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311438"
}
],
"notes": [
{
"category": "description",
"text": "A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: User enumeration through timing difference on password hasher work factor upgrade",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "RHBZ#1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:13+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0504"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-0:1.8.11-1.el7ost.src",
"7Server-RH7-RHOS-7.0:python-django-bash-completion-0:1.8.11-1.el7ost.noarch",
"7Server-RH7-RHOS-7.0:python-django-doc-0:1.8.11-1.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: User enumeration through timing difference on password hasher work factor upgrade"
}
]
}
rhsa-2016:0506
Vulnerability from csaf_redhat
Published
2016-03-24 01:09
Modified
2025-08-03 14:29
Summary
Red Hat Security Advisory: python-django security update
Notes
Topic
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)\n\n* A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)\n\nRed Hat would like to thank the Django project for reporting these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0506",
"url": "https://access.redhat.com/errata/RHSA-2016:0506"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0506.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-08-03T14:29:49+00:00",
"generator": {
"date": "2025-08-03T14:29:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2016:0506",
"initial_release_date": "2016-03-24T01:09:57+00:00",
"revision_history": [
{
"date": "2016-03-24T01:09:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-03-24T01:09:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-03T14:29:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.src",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.src",
"product_id": "python-django-0:1.6.11-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2512",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311431"
}
],
"notes": [
{
"category": "description",
"text": "An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "RHBZ#1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2512",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:09:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0506"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth"
},
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2513",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311438"
}
],
"notes": [
{
"category": "description",
"text": "A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: User enumeration through timing difference on password hasher work factor upgrade",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "RHBZ#1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:09:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0506"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: User enumeration through timing difference on password hasher work factor upgrade"
}
]
}
rhsa-2016:0505
Vulnerability from csaf_redhat
Published
2016-03-24 01:10
Modified
2025-08-03 14:29
Summary
Red Hat Security Advisory: python-django security update
Notes
Topic
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)\n\n* A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)\n\nRed Hat would like to thank the Django project for reporting these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0505",
"url": "https://access.redhat.com/errata/RHSA-2016:0505"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0505.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-08-03T14:29:10+00:00",
"generator": {
"date": "2025-08-03T14:29:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2016:0505",
"initial_release_date": "2016-03-24T01:10:05+00:00",
"revision_history": [
{
"date": "2016-03-24T01:10:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-03-24T01:10:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-03T14:29:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product_id": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-5.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el7ost.src",
"product": {
"name": "python-django-0:1.6.11-5.el7ost.src",
"product_id": "python-django-0:1.6.11-5.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src"
},
"product_reference": "python-django-0:1.6.11-5.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-5.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7",
"product_id": "7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-5.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-6.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2512",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311431"
}
],
"notes": [
{
"category": "description",
"text": "An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "RHBZ#1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2512",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0505"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth"
},
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2513",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311438"
}
],
"notes": [
{
"category": "description",
"text": "A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: User enumeration through timing difference on password hasher work factor upgrade",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "RHBZ#1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0505"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-0:1.6.11-5.el7ost.src",
"7Server-RH7-RHOS-6.0:python-django-bash-completion-0:1.6.11-5.el7ost.noarch",
"7Server-RH7-RHOS-6.0:python-django-doc-0:1.6.11-5.el7ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: User enumeration through timing difference on password hasher work factor upgrade"
}
]
}
rhsa-2016:0502
Vulnerability from csaf_redhat
Published
2016-03-24 01:10
Modified
2025-08-03 14:29
Summary
Red Hat Security Advisory: python-django security update
Notes
Topic
An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don't Repeat Yourself) principle.
Security Fix(es):
* An open-redirect flaw was found in the way Django's django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)
* A timing attack flaw was found in the way Django's PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)
Red Hat would like to thank the Django project for reporting these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY (Don\u0027t Repeat Yourself) principle.\n\nSecurity Fix(es):\n\n* An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site. (CVE-2016-2512)\n\n* A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests. (CVE-2016-2513)\n\nRed Hat would like to thank the Django project for reporting these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0502",
"url": "https://access.redhat.com/errata/RHSA-2016:0502"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0502.json"
}
],
"title": "Red Hat Security Advisory: python-django security update",
"tracking": {
"current_release_date": "2025-08-03T14:29:04+00:00",
"generator": {
"date": "2025-08-03T14:29:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2016:0502",
"initial_release_date": "2016-03-24T01:10:28+00:00",
"revision_history": [
{
"date": "2016-03-24T01:10:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-03-24T01:10:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-03T14:29:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-doc-0:1.6.11-5.el6ost.noarch",
"product": {
"name": "python-django-doc-0:1.6.11-5.el6ost.noarch",
"product_id": "python-django-doc-0:1.6.11-5.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-doc@1.6.11-5.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"product": {
"name": "python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"product_id": "python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-bash-completion@1.6.11-5.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el6ost.noarch",
"product": {
"name": "python-django-0:1.6.11-5.el6ost.noarch",
"product_id": "python-django-0:1.6.11-5.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el6ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-0:1.6.11-5.el6ost.src",
"product": {
"name": "python-django-0:1.6.11-5.el6ost.src",
"product_id": "python-django-0:1.6.11-5.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django@1.6.11-5.el6ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch"
},
"product_reference": "python-django-0:1.6.11-5.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-0:1.6.11-5.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src"
},
"product_reference": "python-django-0:1.6.11-5.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-bash-completion-0:1.6.11-5.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch"
},
"product_reference": "python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-doc-0:1.6.11-5.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
},
"product_reference": "python-django-doc-0:1.6.11-5.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2512",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311431"
}
],
"notes": [
{
"category": "description",
"text": "An open-redirect flaw was found in the way Django\u0027s django.utils.http.is_safe_url() function filtered authentication URLs. An attacker able to trick a victim into visiting a crafted URL could use this flaw to redirect that victim to a malicious site.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "RHBZ#1311431",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311431"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2512",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2512"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0502"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth"
},
{
"acknowledgments": [
{
"names": [
"the Django project"
]
}
],
"cve": "CVE-2016-2513",
"cwe": {
"id": "CWE-385",
"name": "Covert Timing Channel"
},
"discovery_date": "2016-02-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1311438"
}
],
"notes": [
{
"category": "description",
"text": "A timing attack flaw was found in the way Django\u0027s PBKDF2PasswordHasher performed password hashing. Passwords hashed with an older version of PBKDF2PasswordHasher used less hashing iterations, and thus allowed an attacker to enumerate existing users based on the time differences in the login requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django: User enumeration through timing difference on password hasher work factor upgrade",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "RHBZ#1311438",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1311438"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2513",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2513"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2513"
},
{
"category": "external",
"summary": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-03-24T01:10:28+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0502"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-0:1.6.11-5.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-bash-completion-0:1.6.11-5.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-doc-0:1.6.11-5.el6ost.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django: User enumeration through timing difference on password hasher work factor upgrade"
}
]
}
suse-su-2018:1102-1
Vulnerability from csaf_suse
Published
2018-04-27 13:24
Modified
2018-04-27 13:24
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following issues:
Security issues fixed:
- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)
- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)
- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)
- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)
- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)
- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)
- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)
- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)
- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary
web site and conduct phishing attacks. (bsc#bnc#967999)
Patchnames
SUSE-OpenStack-Cloud-6-2018-750
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2018-7537: Fixed catastrophic backtracking in django.utils.text.Truncator. (bsc#1083305)\n- CVE-2018-7536: Fixed catastrophic backtracking in urlize and urlizetrunc template filters. (bsc#1083304)\n- CVE-2017-12794: Fixed XSS possibility in traceback section of technical 500 debug page (bsc#1056284)\n- CVE-2017-7234: Open redirect vulnerability in django.views.static.serve() (bsc#1031451)\n- CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs (bsc#1031450)\n- CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True (bsc#1008047)\n- CVE-2016-9013: User with hardcoded password created when running tests on Oracle (bsc#1008050)\n- CVE-2016-7401: CSRF protection bypass on a site with Google Analytics (bsc#1001374)\n- CVE-2016-2512: Vulnerability in the function tils.http.is_safe_url could allow remote users to arbitrary \n web site and conduct phishing attacks. (bsc#bnc#967999)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-6-2018-750",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1102-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1102-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181102-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1102-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html"
},
{
"category": "self",
"summary": "SUSE Bug 1001374",
"url": "https://bugzilla.suse.com/1001374"
},
{
"category": "self",
"summary": "SUSE Bug 1008047",
"url": "https://bugzilla.suse.com/1008047"
},
{
"category": "self",
"summary": "SUSE Bug 1008050",
"url": "https://bugzilla.suse.com/1008050"
},
{
"category": "self",
"summary": "SUSE Bug 1031450",
"url": "https://bugzilla.suse.com/1031450"
},
{
"category": "self",
"summary": "SUSE Bug 1031451",
"url": "https://bugzilla.suse.com/1031451"
},
{
"category": "self",
"summary": "SUSE Bug 1056284",
"url": "https://bugzilla.suse.com/1056284"
},
{
"category": "self",
"summary": "SUSE Bug 1083304",
"url": "https://bugzilla.suse.com/1083304"
},
{
"category": "self",
"summary": "SUSE Bug 1083305",
"url": "https://bugzilla.suse.com/1083305"
},
{
"category": "self",
"summary": "SUSE Bug 967999",
"url": "https://bugzilla.suse.com/967999"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2512 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-7401 page",
"url": "https://www.suse.com/security/cve/CVE-2016-7401/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9013 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9013/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-9014 page",
"url": "https://www.suse.com/security/cve/CVE-2016-9014/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-12794 page",
"url": "https://www.suse.com/security/cve/CVE-2017-12794/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7233 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7233/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2017-7234 page",
"url": "https://www.suse.com/security/cve/CVE-2017-7234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2018-04-27T13:24:32Z",
"generator": {
"date": "2018-04-27T13:24:32Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1102-1",
"initial_release_date": "2018-04-27T13:24:32Z",
"revision_history": [
{
"date": "2018-04-27T13:24:32Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Django-1.8.19-3.6.1.noarch",
"product": {
"name": "python-Django-1.8.19-3.6.1.noarch",
"product_id": "python-Django-1.8.19-3.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 6",
"product": {
"name": "SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Django-1.8.19-3.6.1.noarch as component of SUSE OpenStack Cloud 6",
"product_id": "SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
},
"product_reference": "python-Django-1.8.19-3.6.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2512"
}
],
"notes": [
{
"category": "general",
"text": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2512",
"url": "https://www.suse.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "SUSE Bug 967999 for CVE-2016-2512",
"url": "https://bugzilla.suse.com/967999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "important"
}
],
"title": "CVE-2016-2512"
},
{
"cve": "CVE-2016-7401",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-7401"
}
],
"notes": [
{
"category": "general",
"text": "The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-7401",
"url": "https://www.suse.com/security/cve/CVE-2016-7401"
},
{
"category": "external",
"summary": "SUSE Bug 1001374 for CVE-2016-7401",
"url": "https://bugzilla.suse.com/1001374"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2016-7401"
},
{
"cve": "CVE-2016-9013",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9013"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it easier for remote attackers to obtain access to the database server by leveraging failure to manually specify a password in the database settings TEST dictionary.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9013",
"url": "https://www.suse.com/security/cve/CVE-2016-9013"
},
{
"category": "external",
"summary": "SUSE Bug 1008050 for CVE-2016-9013",
"url": "https://bugzilla.suse.com/1008050"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2016-9013"
},
{
"cve": "CVE-2016-9014",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-9014"
}
],
"notes": [
{
"category": "general",
"text": "Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to validate the HTTP Host header against settings.ALLOWED_HOSTS.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-9014",
"url": "https://www.suse.com/security/cve/CVE-2016-9014"
},
{
"category": "external",
"summary": "SUSE Bug 1008047 for CVE-2016-9014",
"url": "https://bugzilla.suse.com/1008047"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2016-9014"
},
{
"cve": "CVE-2017-12794",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-12794"
}
],
"notes": [
{
"category": "general",
"text": "In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Given the right circumstances, this allowed a cross-site scripting attack. This vulnerability shouldn\u0027t affect most production sites since you shouldn\u0027t run with \"DEBUG = True\" (which makes this page accessible) in your production settings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-12794",
"url": "https://www.suse.com/security/cve/CVE-2017-12794"
},
{
"category": "external",
"summary": "SUSE Bug 1056284 for CVE-2017-12794",
"url": "https://bugzilla.suse.com/1056284"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2017-12794"
},
{
"cve": "CVE-2017-7233",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7233"
}
],
"notes": [
{
"category": "general",
"text": "Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn\u0027t be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7233",
"url": "https://www.suse.com/security/cve/CVE-2017-7233"
},
{
"category": "external",
"summary": "SUSE Bug 1031450 for CVE-2017-7233",
"url": "https://bugzilla.suse.com/1031450"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2017-7233"
},
{
"cve": "CVE-2017-7234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2017-7234"
}
],
"notes": [
{
"category": "general",
"text": "A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2017-7234",
"url": "https://www.suse.com/security/cve/CVE-2017-7234"
},
{
"category": "external",
"summary": "SUSE Bug 1031451 for CVE-2017-7234",
"url": "https://bugzilla.suse.com/1031451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "low"
}
],
"title": "CVE-2017-7234"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-04-27T13:24:32Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
}
]
}
suse-su-2018:1828-1
Vulnerability from csaf_suse
Published
2018-06-27 11:36
Modified
2018-06-27 11:36
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following security issues:
- CVE-2016-2512: The utils.http.is_safe_url function allowed remote attackers
to redirect users to arbitrary web sites and conduct phishing attacks or
possibly conduct cross-site scripting (XSS) attacks via a URL containing basic
authentication (bsc#967999).
- CVE-2018-7536: The django.utils.html.urlize() function was extremely slow to
evaluate certain inputs due to catastrophic backtracking vulnerabilities
(bsc#1083304)
- CVE-2018-7537: If django.utils.text.Truncator's chars() and words() methods
were passed the html=True argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression (bsc#1083305)
Patchnames
SUSE-Storage-4-2018-1235
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following security issues:\n\n- CVE-2016-2512: The utils.http.is_safe_url function allowed remote attackers\n to redirect users to arbitrary web sites and conduct phishing attacks or\n possibly conduct cross-site scripting (XSS) attacks via a URL containing basic\n authentication (bsc#967999).\n- CVE-2018-7536: The django.utils.html.urlize() function was extremely slow to\n evaluate certain inputs due to catastrophic backtracking vulnerabilities\n (bsc#1083304)\n- CVE-2018-7537: If django.utils.text.Truncator\u0027s chars() and words() methods\n were passed the html=True argument, they were extremely slow to evaluate\n certain inputs due to a catastrophic backtracking vulnerability in a regular\n expression (bsc#1083305)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-Storage-4-2018-1235",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1828-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1828-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181828-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1828-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-June/004225.html"
},
{
"category": "self",
"summary": "SUSE Bug 1083304",
"url": "https://bugzilla.suse.com/1083304"
},
{
"category": "self",
"summary": "SUSE Bug 1083305",
"url": "https://bugzilla.suse.com/1083305"
},
{
"category": "self",
"summary": "SUSE Bug 967999",
"url": "https://bugzilla.suse.com/967999"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2512 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2018-06-27T11:36:38Z",
"generator": {
"date": "2018-06-27T11:36:38Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1828-1",
"initial_release_date": "2018-06-27T11:36:38Z",
"revision_history": [
{
"date": "2018-06-27T11:36:38Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Django-1.6.11-5.5.1.noarch",
"product": {
"name": "python-Django-1.6.11-5.5.1.noarch",
"product_id": "python-Django-1.6.11-5.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Django-1.6.11-5.5.1.noarch as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
},
"product_reference": "python-Django-1.6.11-5.5.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2512"
}
],
"notes": [
{
"category": "general",
"text": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2512",
"url": "https://www.suse.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "SUSE Bug 967999 for CVE-2016-2512",
"url": "https://bugzilla.suse.com/967999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T11:36:38Z",
"details": "important"
}
],
"title": "CVE-2016-2512"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T11:36:38Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 4:python-Django-1.6.11-5.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T11:36:38Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
}
]
}
suse-su-2018:1830-1
Vulnerability from csaf_suse
Published
2018-06-27 13:35
Modified
2018-06-27 13:35
Summary
Security update for python-Django
Notes
Title of the patch
Security update for python-Django
Description of the patch
This update for python-Django fixes the following security issues:
- CVE-2016-2512: The utils.http.is_safe_url function allowed remote attackers
to redirect users to arbitrary web sites and conduct phishing attacks or
possibly conduct cross-site scripting (XSS) attacks via a URL containing basic
authentication (bsc#967999).
- CVE-2018-7536: The django.utils.html.urlize() function was extremely slow to
evaluate certain inputs due to catastrophic backtracking vulnerabilities
(bsc#1083304).
- CVE-2018-7537: If django.utils.text.Truncator's chars() and words() methods
were passed the html=True argument, they were extremely slow to evaluate
certain inputs due to a catastrophic backtracking vulnerability in a regular
expression (bsc#1083305).
Patchnames
SUSE-Storage-5-2018-1237
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-Django",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-Django fixes the following security issues:\n\n- CVE-2016-2512: The utils.http.is_safe_url function allowed remote attackers\n to redirect users to arbitrary web sites and conduct phishing attacks or\n possibly conduct cross-site scripting (XSS) attacks via a URL containing basic\n authentication (bsc#967999).\n- CVE-2018-7536: The django.utils.html.urlize() function was extremely slow to\n evaluate certain inputs due to catastrophic backtracking vulnerabilities\n (bsc#1083304).\n- CVE-2018-7537: If django.utils.text.Truncator\u0027s chars() and words() methods\n were passed the html=True argument, they were extremely slow to evaluate\n certain inputs due to a catastrophic backtracking vulnerability in a regular\n expression (bsc#1083305).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-Storage-5-2018-1237",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1830-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1830-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181830-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1830-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-June/004226.html"
},
{
"category": "self",
"summary": "SUSE Bug 1083304",
"url": "https://bugzilla.suse.com/1083304"
},
{
"category": "self",
"summary": "SUSE Bug 1083305",
"url": "https://bugzilla.suse.com/1083305"
},
{
"category": "self",
"summary": "SUSE Bug 967999",
"url": "https://bugzilla.suse.com/967999"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2512 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7536 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7536/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-7537 page",
"url": "https://www.suse.com/security/cve/CVE-2018-7537/"
}
],
"title": "Security update for python-Django",
"tracking": {
"current_release_date": "2018-06-27T13:35:42Z",
"generator": {
"date": "2018-06-27T13:35:42Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1830-1",
"initial_release_date": "2018-06-27T13:35:42Z",
"revision_history": [
{
"date": "2018-06-27T13:35:42Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python-Django-1.6.11-6.5.1.noarch",
"product": {
"name": "python-Django-1.6.11-6.5.1.noarch",
"product_id": "python-Django-1.6.11-6.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Enterprise Storage 5",
"product": {
"name": "SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-Django-1.6.11-6.5.1.noarch as component of SUSE Enterprise Storage 5",
"product_id": "SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
},
"product_reference": "python-Django-1.6.11-6.5.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2512"
}
],
"notes": [
{
"category": "general",
"text": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2512",
"url": "https://www.suse.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "SUSE Bug 967999 for CVE-2016-2512",
"url": "https://bugzilla.suse.com/967999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T13:35:42Z",
"details": "important"
}
],
"title": "CVE-2016-2512"
},
{
"cve": "CVE-2018-7536",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7536"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7536",
"url": "https://www.suse.com/security/cve/CVE-2018-7536"
},
{
"category": "external",
"summary": "SUSE Bug 1083304 for CVE-2018-7536",
"url": "https://bugzilla.suse.com/1083304"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T13:35:42Z",
"details": "moderate"
}
],
"title": "CVE-2018-7536"
},
{
"cve": "CVE-2018-7537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-7537"
}
],
"notes": [
{
"category": "general",
"text": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator\u0027s chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-7537",
"url": "https://www.suse.com/security/cve/CVE-2018-7537"
},
{
"category": "external",
"summary": "SUSE Bug 1083305 for CVE-2018-7537",
"url": "https://bugzilla.suse.com/1083305"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 5:python-Django-1.6.11-6.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-06-27T13:35:42Z",
"details": "moderate"
}
],
"title": "CVE-2018-7537"
}
]
}
pysec-2016-15
Vulnerability from pysec
Published
2016-04-08 15:59
Modified
2021-07-15 02:22
Details
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Impacted products
| Name | purl | django | pkg:pypi/django |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django",
"purl": "pkg:pypi/django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "c5544d289233f501917e25970c03ed444abbd4f0"
}
],
"repo": "https://github.com/django/django",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.10"
},
{
"introduced": "1.9"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4",
"1.1",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.2",
"1.2.1",
"1.2.2",
"1.2.3",
"1.2.4",
"1.2.5",
"1.2.6",
"1.2.7",
"1.3",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"1.3.6",
"1.3.7",
"1.4",
"1.4.1",
"1.4.10",
"1.4.11",
"1.4.12",
"1.4.13",
"1.4.14",
"1.4.15",
"1.4.16",
"1.4.17",
"1.4.18",
"1.4.19",
"1.4.2",
"1.4.20",
"1.4.21",
"1.4.22",
"1.4.3",
"1.4.4",
"1.4.5",
"1.4.6",
"1.4.7",
"1.4.8",
"1.4.9",
"1.5",
"1.5.1",
"1.5.10",
"1.5.11",
"1.5.12",
"1.5.2",
"1.5.3",
"1.5.4",
"1.5.5",
"1.5.6",
"1.5.7",
"1.5.8",
"1.5.9",
"1.6",
"1.6.1",
"1.6.10",
"1.6.11",
"1.6.2",
"1.6.3",
"1.6.4",
"1.6.5",
"1.6.6",
"1.6.7",
"1.6.8",
"1.6.9",
"1.7",
"1.7.1",
"1.7.10",
"1.7.11",
"1.7.2",
"1.7.3",
"1.7.4",
"1.7.5",
"1.7.6",
"1.7.7",
"1.7.8",
"1.7.9",
"1.8",
"1.8.1",
"1.8.2",
"1.8.3",
"1.8.4",
"1.8.5",
"1.8.6",
"1.8.7",
"1.8.8",
"1.8.9",
"1.8a1",
"1.8b1",
"1.8b2",
"1.8c1",
"1.9",
"1.9.1",
"1.9.2"
]
}
],
"aliases": [
"CVE-2016-2512"
],
"details": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"id": "PYSEC-2016-15",
"modified": "2021-07-15T02:22:10.137209Z",
"published": "2016-04-08T15:59:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
},
{
"type": "ARTICLE",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/83879"
},
{
"type": "ADVISORY",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"type": "ADVISORY",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"type": "ADVISORY",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"type": "ADVISORY",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1035152"
}
]
}
ghsa-pw27-w7w4-9qc7
Vulnerability from github
Published
2022-05-17 01:09
Modified
2024-09-18 16:21
Severity ?
7.4 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
VLAI Severity ?
Summary
Django XSS Vulnerability
Details
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.9a1"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-2512"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-31T22:18:51Z",
"nvd_published_at": "2016-04-08T15:59:00Z",
"severity": "MODERATE"
},
"details": "The `utils.http.is_safe_url function` in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by `http://mysite.example.com\\@attacker.com`.",
"id": "GHSA-pw27-w7w4-9qc7",
"modified": "2024-09-18T16:21:05Z",
"published": "2022-05-17T01:09:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2512"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/fc6d147a63f89795dbcdecb0559256470fff4380"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-15.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210123090815/http://www.securityfocus.com/bid/83879"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210413200202/http://www.securitytracker.com/id/1035152"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django XSS Vulnerability"
}
gsd-2016-2512
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-2512",
"description": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"id": "GSD-2016-2512",
"references": [
"https://www.suse.com/security/cve/CVE-2016-2512.html",
"https://www.debian.org/security/2016/dsa-3544",
"https://access.redhat.com/errata/RHSA-2016:0506",
"https://access.redhat.com/errata/RHSA-2016:0505",
"https://access.redhat.com/errata/RHSA-2016:0504",
"https://access.redhat.com/errata/RHSA-2016:0503",
"https://access.redhat.com/errata/RHSA-2016:0502",
"https://ubuntu.com/security/CVE-2016-2512",
"https://advisories.mageia.org/CVE-2016-2512.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-2512"
],
"details": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"id": "GSD-2016-2512",
"modified": "2023-12-13T01:21:19.895287Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2512",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2016:0506",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"name": "1035152",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1035152"
},
{
"name": "83879",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/83879"
},
{
"name": "RHSA-2016:0504",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"name": "DSA-3544",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"name": "RHSA-2016:0502",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"name": "USN-2915-3",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "USN-2915-2",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"name": "RHSA-2016:0505",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"name": "USN-2915-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"name": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0",
"refsource": "CONFIRM",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.8.0a,\u003c1.8.10||\u003e=1.9.0a,\u003c1.9.3",
"affected_versions": "All versions starting from 1.8.0a before 1.8.10, all versions starting from 1.9.0a before 1.9.3",
"credit": "Mark Striemer",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2017-09-07",
"description": "Django relies on user input in some cases (e.g. `django.contrib.auth.views.login()` and i18n) to redirect the user to an \"on success\" URL. The security check for these redirects (namely `django.utils.http.is_safe_url()`) considered some URLs with basic authentication credentials \"safe\" when they shouldn\u0027t be. For example, a URL like `http://mysite.example.com\\@attacker.com` would be considered safe if the request\u0027s host is `http://mysite.example.com`, but redirecting to this URL sends the user to `attacker.com`. Also, if a developer relies on `is_safe_url()` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.",
"fixed_versions": [
"1.8.10",
"1.9.3"
],
"identifier": "CVE-2016-2512",
"identifiers": [
"CVE-2016-2512"
],
"package_slug": "pypi/Django",
"pubdate": "2016-04-08",
"solution": "Upgrade to latest or apply patches. See provided link.",
"title": "Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth",
"urls": [
"https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
],
"uuid": "c7e6d948-6be8-42f0-880e-c25e02ef86ec"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2512"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
},
{
"name": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"name": "RHSA-2016:0504",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"name": "83879",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/83879"
},
{
"name": "USN-2915-2",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"name": "USN-2915-3",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"name": "DSA-3544",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"name": "RHSA-2016:0502",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"name": "RHSA-2016:0505",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"name": "RHSA-2016:0506",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"name": "USN-2915-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"name": "1035152",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1035152"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0
}
},
"lastModifiedDate": "2017-09-08T01:29Z",
"publishedDate": "2016-04-08T15:59Z"
}
}
}
fkie_cve-2016-2512
Vulnerability from fkie_nvd
Published
2016-04-08 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://rhn.redhat.com/errata/RHSA-2016-0502.html | ||
| cve@mitre.org | http://rhn.redhat.com/errata/RHSA-2016-0504.html | ||
| cve@mitre.org | http://rhn.redhat.com/errata/RHSA-2016-0505.html | ||
| cve@mitre.org | http://rhn.redhat.com/errata/RHSA-2016-0506.html | ||
| cve@mitre.org | http://www.debian.org/security/2016/dsa-3544 | ||
| cve@mitre.org | http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | ||
| cve@mitre.org | http://www.securityfocus.com/bid/83879 | ||
| cve@mitre.org | http://www.securitytracker.com/id/1035152 | ||
| cve@mitre.org | http://www.ubuntu.com/usn/USN-2915-1 | ||
| cve@mitre.org | http://www.ubuntu.com/usn/USN-2915-2 | ||
| cve@mitre.org | http://www.ubuntu.com/usn/USN-2915-3 | ||
| cve@mitre.org | https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0 | ||
| cve@mitre.org | https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2016-0502.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2016-0504.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2016-0505.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2016-0506.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2016/dsa-3544 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/83879 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1035152 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.ubuntu.com/usn/USN-2915-1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.ubuntu.com/usn/USN-2915-2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.ubuntu.com/usn/USN-2915-3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.djangoproject.com/weblog/2016/mar/01/security-releases/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| djangoproject | django | 1.8.9 | |
| djangoproject | django | 1.9 | |
| djangoproject | django | 1.9.1 | |
| djangoproject | django | 1.9.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:djangoproject:django:1.8.9:*:*:*:*:*:*:*",
"matchCriteriaId": "99A5BF6D-631B-4C8E-9868-579BD79100C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "29C40BAC-6DF3-4EA2-A65A-86462DDD8723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:1.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6B754401-8503-4553-853F-4F6BCD2D2FF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:djangoproject:django:1.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "019C26C7-EF1F-45BB-934E-521E2E64452E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com."
},
{
"lang": "es",
"value": "La funci\u00f3n utils.http.is_safe_url en Django en versiones anteriores a 1.8.10 y 1.9.x en versiones anteriores a 1.9.3 permite a atacantes remotos redirigir a usuarios a p\u00e1ginas web arbitrarias y llevar a cabo ataques de phishing o posiblemente llevar a cabo ataques de XSS a trav\u00e9s de una URL que contiene autenticaci\u00f3n b\u00e1sica, seg\u00fan lo demostrado por http://mysite.example.com\\@attacker.com."
}
],
"id": "CVE-2016-2512",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-08T15:59:06.183",
"references": [
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"source": "cve@mitre.org",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/83879"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1035152"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"source": "cve@mitre.org",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0502.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0504.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0505.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0506.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/83879"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1035152"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2915-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2915-2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2915-3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/django/django/commit/c5544d289233f501917e25970c03ed444abbd4f0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2016/mar/01/security-releases/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
opensuse-su-2024:10361-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
python3-Django-1.10.4-1.1 on GA media
Notes
Title of the patch
python3-Django-1.10.4-1.1 on GA media
Description of the patch
These are all security issues fixed in the python3-Django-1.10.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10361
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python3-Django-1.10.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python3-Django-1.10.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10361",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10361-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2512 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2513 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2513/"
}
],
"title": "python3-Django-1.10.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10361-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python3-Django-1.10.4-1.1.aarch64",
"product": {
"name": "python3-Django-1.10.4-1.1.aarch64",
"product_id": "python3-Django-1.10.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-Django-1.10.4-1.1.ppc64le",
"product": {
"name": "python3-Django-1.10.4-1.1.ppc64le",
"product_id": "python3-Django-1.10.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-Django-1.10.4-1.1.s390x",
"product": {
"name": "python3-Django-1.10.4-1.1.s390x",
"product_id": "python3-Django-1.10.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-Django-1.10.4-1.1.x86_64",
"product": {
"name": "python3-Django-1.10.4-1.1.x86_64",
"product_id": "python3-Django-1.10.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-Django-1.10.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64"
},
"product_reference": "python3-Django-1.10.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-Django-1.10.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le"
},
"product_reference": "python3-Django-1.10.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-Django-1.10.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x"
},
"product_reference": "python3-Django-1.10.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-Django-1.10.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
},
"product_reference": "python3-Django-1.10.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2512"
}
],
"notes": [
{
"category": "general",
"text": "The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\\@attacker.com.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2512",
"url": "https://www.suse.com/security/cve/CVE-2016-2512"
},
{
"category": "external",
"summary": "SUSE Bug 967999 for CVE-2016-2512",
"url": "https://bugzilla.suse.com/967999"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2016-2512"
},
{
"cve": "CVE-2016-2513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2513"
}
],
"notes": [
{
"category": "general",
"text": "The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2513",
"url": "https://www.suse.com/security/cve/CVE-2016-2513"
},
{
"category": "external",
"summary": "SUSE Bug 968000 for CVE-2016-2513",
"url": "https://bugzilla.suse.com/968000"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.aarch64",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.ppc64le",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.s390x",
"openSUSE Tumbleweed:python3-Django-1.10.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2016-2513"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…