Описание
Django Vulnerable to MySQL Injection
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-0474
- https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292
- https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f
- https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-3.yaml
- https://www.djangoproject.com/weblog/2014/apr/21/security
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
- http://rhn.redhat.com/errata/RHSA-2014-0456.html
- http://rhn.redhat.com/errata/RHSA-2014-0457.html
- http://www.debian.org/security/2014/dsa-2934
- http://www.ubuntu.com/usn/USN-2169-1
Пакеты
Django
< 1.4.11
1.4.11
Django
>= 1.5, < 1.5.6
1.5.6
Django
>= 1.6, < 1.6.3
1.6.3
Связанные уязвимости
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressFie ...