Guest

Preview Tool

Cisco Bug: CSCur15776 - CUCDM: Django Python Contains Several Vulnerabilities

Last Modified

Aug 06, 2018

Products (1)

  • Cisco Hosted Collaboration Solution (HCS)

Known Affected Releases

10.1(2)

Description (partial)

Symptom:
Cisco Unified Contact Center Domain Manager includes a version of Django that is affected by the
vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:

CVE-2014-0472: The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6,
1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python
modules by leveraging a view that constructs URLs using user input and a ''dotted Python path.'' This has been
classified by the vendor as having a CVSSv2 score of 5.1 (AV:N/AC:H/AU:N/C:P/I:P/A:P)

CVE-2014-0473: The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and
1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to
bypass CSRF protections by reading the CSRF cookie for anonymous users. This has been classified by the vendor
as having a CVSSv2 score of 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE-2014-0474: The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in
Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly
perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to
''MySQL typecasting.''  This has been classified by the vendor as having a CVSSv2 score of 10.0
(AV:N/AC:L/AU:N/C:C/I:C/A:C)

CVE-2014-0480: The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x
before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote
attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to
be generated. This has been classified by the vendor as having a CVSSv2 score of 5.8
(AV:N/AC:M/AU:N/C:P/I:P/A:N)

CVE-2014-0481: The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x
before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation
process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of
service (CPU consumption) by unloading a multiple files with the same name. This has been classified by the
vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P)

CVE-2014-0482: The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x
before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the
contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via
vectors related to the REMOTE_USER header. This has been classified by the vendor as having a CVSSv2 score of
5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-2014-0483: The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x
before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between
models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a
popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. This
has been classified by the vendor as having a CVSSv2 score of 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)

CVE-2014-1418: Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not
properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attackers
to obtain sensitive information or poison the cache via a request from certain browsers. This has been
classified by the vendor as having a CVSSv2 score of 6.4 (AV:N/AC:L/AU:N/C:P/I:P/A:N)

CVE-2014-3730: The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6
before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct
open redirect attacks via a malformed URL, as demonstrated by ''http:\\\djangoproject.com.'' This has been
classified by the vendor as having a CVSSv2 score of 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)

This bug was opened to address the potential impact on this product.

Conditions:
Running version of the software prior to the Known Fixed Releases
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.