Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2017-7234

Published: 04/04/2017 Updated: 04/11/2017
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 517
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Django

Vulnerability Summary

A maliciously crafted URL to a Django (1.10 prior to 1.10.7, 1.9 prior to 1.9.13, and 1.8 prior to 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect vulnerability.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

djangoproject django 1.8.2

djangoproject django 1.8.3

djangoproject django 1.8.10

djangoproject django 1.8.11

djangoproject django 1.8.0

djangoproject django 1.9.4

djangoproject django 1.9.5

djangoproject django 1.10.1

djangoproject django 1.10.2

djangoproject django 1.9

djangoproject django 1.9.1

djangoproject django 1.8.4

djangoproject django 1.8.5

djangoproject django 1.8.12

djangoproject django 1.8.13

djangoproject django 1.9.6

djangoproject django 1.9.7

djangoproject django 1.10.3

djangoproject django 1.10.4

djangoproject django 1.9.2

djangoproject django 1.9.8

djangoproject django 1.8.1

djangoproject django 1.8.8

djangoproject django 1.8.9

djangoproject django 1.8.16

djangoproject django 1.8.17

djangoproject django 1.9.12

djangoproject django 1.9.3

djangoproject django 1.10.0

djangoproject django 1.8.6

djangoproject django 1.8.7

djangoproject django 1.8.14

djangoproject django 1.8.15

djangoproject django 1.9.10

djangoproject django 1.9.11

djangoproject django 1.10.5

djangoproject django 1.10.6

djangoproject django 1.9.9

Vendor Advisories

Ubuntu Security Notice: python-django vulnerabilities
Several security issues were fixed in Django ...
Debian Security Advisories: DSA-3835-1 python-django -- security update
Several vulnerabilities were discovered in Django, a high-level Python web development framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9013 Marti Raudsepp reported that a user with a hardcoded password is created when running tests with an Oracle database CVE-2016-9014 Aymeric Au ...
Debian CVElist Bug Report Logs: python-django: CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
Debian Bug report logs - #859516 python-django: CVE-2017-7234: Open redirect vulnerability in djangoviewsstaticserve() Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: ...
Debian CVElist Bug Report Logs: python-django: CVE-2016-9013 CVE-2016-9014
Debian Bug report logs - #842856 python-django: CVE-2016-9013 CVE-2016-9014 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 1 Nov 2016 19:39:02 UTC Severity: impo ...
Debian CVElist Bug Report Logs: python-django: CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
Debian Bug report logs - #859515 python-django: CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@deb ...
Red Hat: CVE-2017-7234
A maliciously crafted URL to a Django (110 before 1107, 19 before 1913, and 18 before 1818) site using the ``djangoviewsstaticserve()`` view could redirect to any other domain, aka an open redirect vulnerability ...
Arch Linux Issues:
A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain The view no longer does any redirects as they don’t provide any known, useful functionality Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid ...

Github Repositories

https://github.com/neargle/django-cve-hub

复现Django漏洞时的部分环境,推荐使用virtualenv还原部分漏洞

django-cve-hub 以前自己复现历史Django CVE漏洞的部分环境和存在漏洞的实现代码,因为看到有人需要先上传上来。有几个还不是特别完善,等有时间再慢慢补充。 当前较为完善的有: CVE-2017-7233 CVE-2017-7234

https://github.com/Crossroadsman/treehouse-techdegree-python-project9

Project 9: Improve a Django Project WARNING: Security Vulnerability There are multiple vulnerabilities with versions of Django below 11119 (see CVE-2019-6975, CVE-2019-3498, CVE-2017-7234, and CVE-2017-7233) These vulnerabilities have not been addressed as part of the project specification is to use the packages according to the supplied requirementstxt1 Installation Clon

https://github.com/BBVA/patton-cli

The knife of the Admin & Security auditor

DEPRECATED patton-cli has been moved into a module of the new patton repository for better maintenance THIS REPOSITORY WILL BE DELETED AS OF JULY 1 Patton-cli - The knife of the Admin & Security auditor Current version 001 Project site githubcom/bbva/patton-cli Issues githubcom/bbva/patton-cli/issues/ Python versions 36 or above What

References

CWE-601https://www.djangoproject.com/weblog/2017/apr/04/security-releases/http://www.securityfocus.com/bid/97401http://www.securitytracker.com/id/1038177http://www.debian.org/security/2017/dsa-3835https://usn.ubuntu.com/3254-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook