CVE-2014-0474
python-django: MySQL typecasting
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."
Las clases de campo de modelo (1) FilePathField, (2) GenericIPAddressField y (3) IPAddressField en Django anterior a 1.4.11, 1.5.x anterior a 1.5.6, 1.6.x anterior a1.6.3 y 1.7.x anterior a 1.7 beta 2 no realizan debidamente conversión de tipo, lo que permite a atacantes remotos tener impacto y vectores no especificados, relacionado con "MySQL typecasting."
USN-2169-1 fixed vulnerabilities in Django. The upstream security patch for CVE-2014-0472 introduced a regression for certain applications. This update fixes the problem. Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. Various other issues were also addressed.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-12-19 CVE Reserved
- 2014-04-22 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/61281 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html | 2017-01-07 | |
| http://rhn.redhat.com/errata/RHSA-2014-0456.html | 2017-01-07 | |
| http://rhn.redhat.com/errata/RHSA-2014-0457.html | 2017-01-07 | |
| http://www.debian.org/security/2014/dsa-2934 | 2017-01-07 | |
| http://www.ubuntu.com/usn/USN-2169-1 | 2017-01-07 | |
| https://www.djangoproject.com/weblog/2014/apr/21/security | 2017-01-07 | |
| https://access.redhat.com/security/cve/CVE-2014-0474 | 2014-04-30 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1090593 | 2014-04-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 10.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 13.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.6 Search vendor "Djangoproject" for product "Django" and version "1.6" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.6.1 Search vendor "Djangoproject" for product "Django" and version "1.6.1" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.6.2 Search vendor "Djangoproject" for product "Django" and version "1.6.2" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | <= 1.4.10 Search vendor "Djangoproject" for product "Django" and version " <= 1.4.10" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4 Search vendor "Djangoproject" for product "Django" and version "1.4" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.1 Search vendor "Djangoproject" for product "Django" and version "1.4.1" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.2 Search vendor "Djangoproject" for product "Django" and version "1.4.2" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.3 Search vendor "Djangoproject" for product "Django" and version "1.4.3" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.4 Search vendor "Djangoproject" for product "Django" and version "1.4.4" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.5 Search vendor "Djangoproject" for product "Django" and version "1.4.5" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.6 Search vendor "Djangoproject" for product "Django" and version "1.4.6" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.7 Search vendor "Djangoproject" for product "Django" and version "1.4.7" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.8 Search vendor "Djangoproject" for product "Django" and version "1.4.8" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.4.9 Search vendor "Djangoproject" for product "Django" and version "1.4.9" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.7 Search vendor "Djangoproject" for product "Django" and version "1.7" | alpha1 |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.7 Search vendor "Djangoproject" for product "Django" and version "1.7" | alpha2 |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.7 Search vendor "Djangoproject" for product "Django" and version "1.7" | beta1 |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5 Search vendor "Djangoproject" for product "Django" and version "1.5" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5.1 Search vendor "Djangoproject" for product "Django" and version "1.5.1" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5.2 Search vendor "Djangoproject" for product "Django" and version "1.5.2" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5.3 Search vendor "Djangoproject" for product "Django" and version "1.5.3" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5.4 Search vendor "Djangoproject" for product "Django" and version "1.5.4" | - |
Affected
| ||||||
| Djangoproject Search vendor "Djangoproject" | Django Search vendor "Djangoproject" for product "Django" | 1.5.5 Search vendor "Djangoproject" for product "Django" and version "1.5.5" | - |
Affected
| ||||||