Описание
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Отчет
This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems. Red Hat Satellite is not affected, since python-django is only used on Pulp API, which only returns JSON data.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | python-django | Affected | ||
| Red Hat Ceph Storage 3 | python-django | Affected | ||
| Red Hat Certification for Red Hat Enterprise Linux 7 | python-django | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 13 (Queens) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 14 (Rocky) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 8 (Liberty) | python-django | Will not fix | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | python-django | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | python-django | Fix deferred | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | python-django | Fix deferred |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS3
Связанные уязвимости
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before ...
Уязвимость библиотеки Django для языка программирования Python, позволяющая нарушителю нарушить целостность защищаемой информации
4.3 Medium
CVSS3