Debian 1.2.3-3+squeeze Critical: Python-Django Session Fixation
debian
May 19, 2014
Several vulnerabilities were discovered in Django, a high-level Python web development framework
Topics Covered
Summary
CVE-2014-0472
Benjamin Bach discovered that Django incorrectly handled dotted
Python paths when using the reverse() URL resolver function. An
attacker able to request a specially crafted view from a Django
application could use this issue to cause Django to import arbitrary
modules from the Python path, resulting in possible code execution.
CVE-2014-0473
Paul McMillan discovered that Django incorrectly cached certain
pages that contained CSRF cookies. A remote attacker could use this
flaw to acquire the CSRF token of a different user and bypass
intended CSRF protections in a Django application.
CVE-2014-0474
Michael Koziarski discovered that certain Django model field classes
did not properly perform type conversion on their arguments, which
allows remote attackers to obtain unexpected results.
CVE-2014-1418
Michael Nelson, Natalia Bidart and James Westby discovered that
cached data in Django could be served to a different session, or to
a u...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python-django
CVE ID: CVE-2014-0472 CVE-2014-0473 CVE-2014-0474 CVE-2014-1418
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!