CVE-2017-7233 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2017-7233 - Medium Severity Vulnerability

Vulnerable Library - Django-1.9.6-py2.py3-none-any.whl

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

path: /example-python

Library home page: https://pypi.python.org/packages/cb/97/081df31f2a3850988b92ad4464e95f9e4b257aa5a34e120bca89c260de96/Django-1.9.6-py2.py3-none-any.whl

Dependency Hierarchy:

• ❌ Django-1.9.6-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs "safe" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on is_safe_url() to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.

Publish Date: 2017-04-04

URL: CVE-2017-7233

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7233

Release Date: 2017-04-04

Fix Resolution: 1.10.7,1.9.13,1.8.18

---

Step up your Open Source Security Game with WhiteSource here