Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2017-7233

Disclosure Date: April 04, 2017 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs “safe” when they shouldn’t be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

djangoproject

Products

References

Canonical

CVE-2017-7233 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7233)

BID-97406 (http://www.securityfocus.com/bid/97406)

Advisory

SECTRACK-1038177 (http://www.securitytracker.com/id/1038177)

https://access.redhat.com/errata/RHSA-2017:1596

https://access.redhat.com/errata/RHSA-2017:3093

DSA-3835 (http://www.debian.org/security/2017/dsa-3835)

https://access.redhat.com/errata/RHSA-2017:1445

https://access.redhat.com/errata/RHSA-2017:1451

https://access.redhat.com/errata/RHSA-2018:2927

https://access.redhat.com/errata/RHSA-2017:1470

https://www.djangoproject.com/weblog/2017/apr/04/security-releases

https://access.redhat.com/errata/RHSA-2017:1462

Rapid7

Technical Analysis