Django Vulnerable to MySQL Injection

GHSA-wqjj-hx84-v449 · CVE-2014-0474 · PYSEC-2014-3

Published May 17, 2022 · Modified Apr 13, 2025

Description

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-0474
WEB https://github.com/django/django/commit/5f0829a27e85d89ad8c433f5c6a7a7d17c9e9292
WEB https://github.com/django/django/commit/985434fb1d6bf2335bf96c6ebf91c3674f1f399f
WEB https://github.com/django/django/commit/aa80f498de6d687e613860933ac58433ab71ea4b
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-3.yaml
WEB https://www.djangoproject.com/weblog/2014/apr/21/security
WEB http://lists.opensuse.org/opensuse-updates/2014-09/msg00023.html
WEB http://rhn.redhat.com/errata/RHSA-2014-0456.html
WEB http://rhn.redhat.com/errata/RHSA-2014-0457.html
WEB http://www.debian.org/security/2014/dsa-2934
WEB http://www.ubuntu.com/usn/USN-2169-1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes