CVE-2017-7233

NameCVE-2017-7233
DescriptionDjango 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-885-1, DSA-3835-1
NVD severitymedium (attack range: remote)
Debian Bugs859515

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)wheezy1.4.5-1+deb7u16vulnerable
wheezy (security)1.4.22-1+deb7u3fixed
jessie (security), jessie1.7.11-1+deb8u2fixed
stretch1:1.10.7-2fixed
buster, sid1:1.11.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1:1.10.7-1medium859515
python-djangosourcejessie1.7.11-1+deb8u2mediumDSA-3835-1
python-djangosourcewheezy1.4.22-1+deb7u3mediumDLA-885-1

Notes

https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
Fixed by (master): https://github.com/django/django/commit/5ea48a70afac5e5684b504f09286e7defdd1a81a

Search for package or bug name: Reporting problems