CVE-2013-0305 - OpenCVE

The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Djangoproject	Django

Configuration 1 [-]

OR	cpe:2.3:a:djangoproject:django:1.3:::::::*
	cpe:2.3:a:djangoproject:django:1.3:alpha1::::::
	cpe:2.3:a:djangoproject:django:1.3:beta1::::::
	cpe:2.3:a:djangoproject:django:1.3.1:::::::*
	cpe:2.3:a:djangoproject:django:1.3.2:::::::*
	cpe:2.3:a:djangoproject:django:1.3.3:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:djangoproject:django:1.4:::::::*
	cpe:2.3:a:djangoproject:django:1.4:alpha::::::
	cpe:2.3:a:djangoproject:django:1.4:beta::::::
	cpe:2.3:a:djangoproject:django:1.4.1:::::::*
	cpe:2.3:a:djangoproject:django:1.4.2:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:djangoproject:django:1.5:alpha::::::
	cpe:2.3:a:djangoproject:django:1.5:beta::::::

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*

References

Link	Resource
http://rhn.redhat.com/errata/RHSA-2013-0670.html
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
https://www.djangoproject.com/weblog/2013/feb/19/security/	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-05-02T14:00:00

Updated: 2013-05-15T09:00:00

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0305

JSON object: View

NVD Information

Status : Modified

Published: 2013-05-02T14:55:05.257

Modified: 2013-05-15T03:34:10.117

Link: CVE-2013-0305

JSON object: View

Redhat Information

No data.

CWE

CWE-200

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*", "matchCriteriaId": "8F5428AE-6B63-4D27-BCC4-F228264A6F0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*", "matchCriteriaId": "06F122AC-B9BF-4E27-A7C0-F3E7B5E8A907", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.3:beta1:*:*:*:*:*:*", "matchCriteriaId": "33D378F8-CFDC-4882-A838-406ABA7AD8CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "132795AE-92DD-42CB-A59E-5F7136F93B46", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "6B5BE262-260E-4250-8F68-7392FD68970E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "F18B54E2-447B-4B38-9E88-6833F67EB24C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "9A79FF7F-8F92-4FEB-96CC-6B15D0CE920D", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4:alpha:*:*:*:*:*:*", "matchCriteriaId": "C1E1C4B1-2A0A-459C-8348-AA7DA5C5B781", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4:beta:*:*:*:*:*:*", "matchCriteriaId": "F979543B-913B-46E9-8A40-BE2707D297F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "13EF02D4-406C-4146-9B8F-FAC906E7B6E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "DC462CE5-1BE0-41E0-A28D-291350F021AA", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*", "matchCriteriaId": "8A26B113-8D22-46E5-92C3-12134A68A21E", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*", "matchCriteriaId": "0D99FB28-08F3-45B4-8C04-90074FBC2457", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*", "matchCriteriaId": "7118F616-25CA-4E34-AA13-4D14BB62419F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*", "matchCriteriaId": "E4174F4F-149E-41A6-BBCC-D01114C05F38", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*", "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The administrative interface for Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 does not check permissions for the history view, which allows remote authenticated administrators to obtain sensitive object history information."}, {"lang": "es", "value": "La interfaz administrativa para Django v1.3.x antes de v1.3.6, v1.4.x antes de v1.4.4, y v1.5 antes de la release candidate v2 no comprueba los permisos para la vista del historial, que permite a usuarios administradores autenticados obtener informaci\u00f3n del historial."}], "evaluatorImpact": "Per http://www.ubuntu.com/usn/usn-1757-1/\r\n\"A security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n Ubuntu 12.10\r\n Ubuntu 12.04 LTS\r\n Ubuntu 11.10\r\n Ubuntu 10.04 LTS\"", "id": "CVE-2013-0305", "lastModified": "2013-05-15T03:34:10.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-05-02T14:55:05.257", "references": [{"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0670.html"}, {"source": "secalert@redhat.com", "url": "http://ubuntu.com/usn/usn-1757-1"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2013/dsa-2634"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2013/feb/19/security/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}