Django CVE-2018-14574 Open Redirection Vulnerability

Bugtraq ID:	104970
Class:	Input Validation Error
CVE:	CVE-2018-14574
Remote:	Yes
Local:	No
Published:	Aug 01 2018 12:00AM
Updated:	Aug 01 2018 12:00AM
Credit:	Andreas Hug
Vulnerable:	Redhat Gluster Storage 3.0 Djangoproject Django 2.0.7 Djangoproject Django 2.0.6 Djangoproject Django 2.0.5 Djangoproject Django 2.0.4 Djangoproject Django 2.0.3 Djangoproject Django 2.0.2 Djangoproject Django 2.0.1 Djangoproject Django 1.11.11 Djangoproject Django 1.11.10 Djangoproject Django 1.11.9 Djangoproject Django 1.11.8 Djangoproject Django 1.11.5 Djangoproject Django 1.11.4 Djangoproject Django 1.11.3 Djangoproject Django 1.11.2 Djangoproject Django 1.11.1 Djangoproject Django 2.0 Djangoproject Django 1.11
Not Vulnerable:	Djangoproject Django 2.0.8 Djangoproject Django 1.11.15 Djangoproject Django 2.1

Django CVE-2018-14574 Open Redirection Vulnerability

Django is prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.

Versions prior to Django 2.1, 2.0.8, and 1.11.15 are vulnerable.

Django CVE-2018-14574 Open Redirection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Django CVE-2018-14574 Open Redirection Vulnerability

References:

• Bug 1609031 - (CVE-2018-14574) CVE-2018-14574 django: Open redirect possibility (Red Hat Bugzilla)
  
• CVE-2018-14574 (Django)
  
• Django Homepage (Django)
  
• Django security releases issued: 2.0.8 and 1.11.15 (Django)