BID:69430

Django CVE-2014-0482 Authentication Bypass Vulnerability

Info

Django CVE-2014-0482 Authentication Bypass Vulnerability

Bugtraq ID:	69430
Class:	Access Validation Error
CVE:	CVE-2014-0482
Remote:	Yes
Local:	No
Published:	Aug 26 2014 12:00AM
Updated:	Apr 13 2015 10:09PM
Credit:	David Greisen
Vulnerable:	Ubuntu Ubuntu Linux 14.04 LTS Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Mandriva Business Server 1 X86 64 Mandriva Business Server 1 Gentoo Linux Djangoproject Django 1.7 Djangoproject Django 1.6.5 Djangoproject Django 1.6 Djangoproject Django 1.5.8 Djangoproject Django 1.5.6 Djangoproject Django 1.5.4 Djangoproject Django 1.5.3 Djangoproject Django 1.5.2 Djangoproject Django 1.4.13 Djangoproject Django 1.4.11 Djangoproject Django 1.4.8 Djangoproject Django 1.4.7 Djangoproject Django 1.4.6 Djangoproject Django 1.4.5 Djangoproject Django 1.4.4 Djangoproject Django 1.4.2 Djangoproject Django 1.4.1 Djangoproject Django 1.4 Djangoproject Django 1.5.1 Djangoproject Django 1.5.0 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64

Not Vulnerable:	Djangoproject Django 1.6.6 Djangoproject Django 1.5.9 Djangoproject Django 1.4.14 Djangoproject Django 1.7 rc 3

Discussion

Django CVE-2014-0482 Authentication Bypass Vulnerability

Django is prone to a remote authentication-bypass vulnerability.

An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access. This may aid in further attacks.

Versions prior to Django 1.4.14, 1.5.9, 1.6.6 and 1.7 rc3 are vulnerable.

Solution / Fix

Django CVE-2014-0482 Authentication Bypass Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Mandriva Business Server 1 X86 64

Mandriva python-django-1.3.7-1.5.mbs1.noarch.rpm
http://www.mandriva.com/en/downloads/

References

Django CVE-2014-0482 Authentication Bypass Vulnerability

References:

Django Homepage (Django)
Security releases issued (Django)
DSA-3010-1 python-django -- security update (Debian)