High severityNVD Advisory· Published May 16, 2014· Updated Jun 17, 2026
CVE-2014-3730
CVE-2014-3730
Description
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 1.4, < 1.4.13 | 1.4.13 |
DjangoPyPI | >= 1.5, < 1.5.8 | 1.5.8 |
DjangoPyPI | >= 1.6, < 1.6.5 | 1.6.5 |
DjangoPyPI | >= 1.7a1, < 1.7b4 | 1.7b4 |
Affected products
44cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*+ 33 more
- cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Patches
Vulnerability mechanics
References
16- www.djangoproject.com/weblog/2014/may/14/security-releases-issued/nvdPatchVendor Advisory
- lists.opensuse.org/opensuse-updates/2014-09/msg00023.htmlnvdThird Party AdvisoryWEB
- ubuntu.com/usn/usn-2212-1nvdThird Party AdvisoryWEB
- www.debian.org/security/2014/dsa-2934nvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2014/05/14/10nvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2014/05/15/3nvdThird Party AdvisoryWEB
- www.securityfocus.com/bid/67410nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-vq3h-3q7v-9prwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-3730ghsaADVISORY
- secunia.com/advisories/61281nvdWEB
- github.com/django/django/commit/601107524523bca02376a0ddc1a06c6fdb8f22f3ghsaWEB
- github.com/django/django/commit/7feb54bbae3f637ab3c4dd4831d4385964f574dfghsaWEB
- github.com/django/django/commit/ad32c218850ad40972dcef57beb460f8c979dd6dghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2014-20.yamlghsaWEB
- web.archive.org/web/20200228171223/http://www.securityfocus.com/bid/67410ghsaWEB
- www.djangoproject.com/weblog/2014/may/14/security-releases-issuedghsaWEB
News mentions
0No linked articles in our index yet.