Alpine: py-django: security update to 1.8.18-r0

medium Tenable Self-Hosted Container Security Plugin ID 406614

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to
redirect the user to an "on success" URL. The security check for these redirects (namely
``django.utils.http.is_safe_url()``) considered some numeric URLs "safe" when they shouldn't be, aka an
open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack. (CVE-2017-7233)

- A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site
using the ``django.views.static.serve()`` view could redirect to any other domain, aka an open redirect
vulnerability. (CVE-2017-7234)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-7233

https://security.alpinelinux.org/vuln/CVE-2017-7234

Plugin Details

Severity: Medium

ID: 406614

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2017-7234

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/4/2017

Reference Information

CVE: CVE-2017-7233, CVE-2017-7234

BID: 97401, 97406