CVE-2014-0480

Publication date 26 August 2014

Last updated 24 July 2024

Description

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-django	14.04 LTS trusty	Fixed 1.6.1-2ubuntu0.4
	12.04 LTS precise	Fixed 1.3.1-4ubuntu1.12
	10.04 LTS lucid	Fixed 1.1.1-2ubuntu1.13

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-django	Vendor: https://www.debian.org/security/2014/dsa-3010 Upstream: c2fe731 Upstream: da051da

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2347-1
Django vulnerabilities
16 September 2014

Other references

https://www.djangoproject.com/weblog/2014/aug/20/security/
https://www.cve.org/CVERecord?id=CVE-2014-0480