A redirect flaw, where the is_safe_url() function did not correctly sanitize numeric-URL user input, was found in python-django. A remote attacker could exploit this flaw to perform XSS attacks against the OpenStack dashboard.
Find out more about CVE-2017-7233 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of python-django as shipped with Red Hat Satellite 6. Please note that python-django, as used by Pulp does not make use of the Pulp doesn't use "is_safe_url" directly or the "i18n" views or the "django.contrib.auth" Login view. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS3 Base Score | 6.1 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat OpenStack Platform 9.0 (python-django) | RHSA-2017:1462 | 2017-06-14 |
Red Hat Satellite 6.4 for RHEL 7 (python-django) | RHSA-2018:2927 | 2018-10-16 |
Red Hat OpenStack Platform 11.0 (Ocata) (python-django) | RHSA-2017:3093 | 2017-10-31 |
Red Hat OpenStack Platform 8.0 (Liberty) (python-django) | RHSA-2017:1470 | 2017-06-14 |
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 (python-django) | RHSA-2017:1445 | 2017-06-14 |
Red Hat Satellite 6.4 for RHEL 7 (python-django) | RHSA-2018:2927 | 2018-10-16 |
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 (python-django) | RHSA-2017:1451 | 2017-06-14 |
Red Hat OpenStack Platform 10 (python-django) | RHSA-2017:1596 | 2017-06-28 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | Django | Will not fix |
Red Hat Storage Console 2 | Django | Will not fix |
Red Hat Storage Console 2 | python-django | Will not fix |
Red Hat Satellite 6 | python-django | Will not fix |
Red Hat OpenStack Platform Operational Tools 9 | python-django | Will not fix |
Red Hat OpenStack Platform 12.0 | python-django | Not affected |
Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7 | python-django | Not affected |
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 | python-django | Will not fix |
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 | python-django | Will not fix |
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | python-django | Will not fix |
Red Hat Ceph Storage 2 | Django | Will not fix |
Red Hat Ceph Storage 1.3 | Django | Will not fix |