Moderate severityNVD Advisory· Published Aug 3, 2018· Updated Aug 5, 2024

CVE-2018-14574

Description

django.middleware.common.CommonMiddleware in Django 1.11.x before 1.11.15 and 2.0.x before 2.0.8 has an Open Redirect.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Django's `CommonMiddleware` contains an open redirect vulnerability in versions 1.11.x before 1.11.15 and 2.0.x before 2.0.8.

Vulnerability

In Django versions 1.11.x before 1.11.15 and 2.0.x before 2.0.8, the django.middleware.common.CommonMiddleware does not properly sanitize URLs, allowing an open redirect attack. An attacker can craft a URL with leading slashes or scheme-relative URLs that redirect users to an external malicious site [2][3].

Exploitation

An attacker can exploit this vulnerability by creating a crafted URL that, when processed by CommonMiddleware, results in a redirect to an arbitrary external domain. No authentication or special privileges are required; the attacker only needs to lure a user to click on the malicious link [3].

Impact

Successful exploitation allows an attacker to redirect users to an attacker-controlled website, potentially leading to phishing attacks or other social engineering exploits. This is an open redirect vulnerability, which can be used to bypass URL validation and trust mechanisms [3].

Mitigation

The vulnerability is fixed in Django versions 1.11.15 and 2.0.8. Users should upgrade to these versions or later. The fix involves escaping leading slashes to prevent scheme-relative URLs [4]. No workarounds are available for unpatched versions.

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	>= 2.0, < 2.0.8	2.0.8
DjangoPyPI	>= 1.11, < 1.11.15	1.11.15

Affected products

350

ghsa-coords350 versions
pkg:pypi/django pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cassandra&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cassandra&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cluster&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cluster&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cobbler&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cobbler&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-db&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-db&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-horizon&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-memcached&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-memcached&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-monasca-transform&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-monasca-transform&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-opsconsole-ui&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-opsconsole-ui-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-service-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-service-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-service&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-service&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ses&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ses&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-spark&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-spark&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tempest&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tls&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-tls&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/crowbar-core-branding-SOC&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-aodh&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-aodh-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-aodh-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-aodh-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-barbican-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-barbican-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-barbican-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ceilometer-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ceilometer-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ceilometer-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-designate-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-designate-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-designate-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-heat-gbp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-horizon-plugin-trove-ui&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-horizon-plugin-trove-ui&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-horizon-plugin-trove-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-ironic-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-ironic-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-ironic-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-agent&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-api&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-api&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-api&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-log-api&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-log-api&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-log-api&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-gbp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-lbaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-lbaas-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-vpnaas&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-vpnaas&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-vpnaas-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-vpnaas-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-vpnaas-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-trove&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-trove-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-trove-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-trove-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-ardana-configurationprocessor&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-ardana-configurationprocessor&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-cinderlm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-cinderlm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-cliff&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-cliff&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-cliff&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Django1&distro=SUSE%20Package%20Hub%2015 pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012 pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1 pkg:rpm/suse/python-freezerclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-freezerclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-freezerclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-ironicclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-ironicclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-ironicclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-magnumclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-magnumclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-magnumclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-manilaclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-manilaclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-manilaclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-muranoclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-muranoclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-muranoclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-novaclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-novaclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-novaclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-openstackclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-os-brick&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-os-client-config&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-os-client-config&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-os-client-config&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.cache&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.cache&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.cache&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.concurrency&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.concurrency&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.concurrency&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.config&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.config&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.config&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.i18n&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.i18n&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.i18n&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.log&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.log&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.log&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.messaging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.middleware&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.middleware&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.middleware&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.policy&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.policy&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.policy&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.privsep&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.privsep&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.privsep&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.reports&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.reports&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.reports&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslotest&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslotest&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslotest&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.utils&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.utils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.versionedobjects&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.versionedobjects&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.versionedobjects&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.vmware&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.vmware&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.vmware&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-os-vif&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-os-vif&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-os-vif&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-os-win&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-os-win&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-os-win&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-python-subunit&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-python-subunit&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-python-subunit&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-saharaclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-saharaclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-saharaclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-swiftclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-swiftclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-swiftclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-zaqarclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-zaqarclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-zaqarclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/supportutils-plugin-suse-openstack-cloud&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/supportutils-plugin-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/supportutils-plugin-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208
>= 2.0, < 2.0.8+ 349 more
- (no CPE)range: >= 2.0, < 2.0.8
- (no CPE)range: < 8.0+git.1553878455.7439e04-3.61.1
- (no CPE)range: < 8.0+git.1553878455.7439e04-3.61.1
- (no CPE)range: < 8.0+git.1534266594.8136db7-4.30.1
- (no CPE)range: < 8.0+git.1534266594.8136db7-4.30.1
- (no CPE)range: < 8.0+git.1534266612.44dcb20-3.12.1
- (no CPE)range: < 8.0+git.1534266612.44dcb20-3.12.1
- (no CPE)range: < 8.0+git.1534266629.0bb5d54-3.9.1
- (no CPE)range: < 8.0+git.1534266629.0bb5d54-3.9.1
- (no CPE)range: < 8.0+git.1558619942.6bd075c-3.36.1
- (no CPE)range: < 8.0+git.1558619942.6bd075c-3.36.1
- (no CPE)range: < 8.0+git.1534266734.ec4822f-3.33.1
- (no CPE)range: < 8.0+git.1534266734.ec4822f-3.33.1
- (no CPE)range: < 8.0+git.1550694449.df88054-3.38.1
- (no CPE)range: < 8.0+git.1550694449.df88054-3.38.1
- (no CPE)range: < 8.0+git.1555341117.d812d88-3.25.1
- (no CPE)range: < 8.0+git.1555341117.d812d88-3.25.1
- (no CPE)range: < 8.0+git.1558636763.f7f09ca-3.14.1
- (no CPE)range: < 8.0+git.1558636763.f7f09ca-3.14.1
- (no CPE)range: < 8.0+git.1534266805.c9ea29b-3.15.1
- (no CPE)range: < 8.0+git.1534266805.c9ea29b-3.15.1
- (no CPE)range: < 8.0+git.1555450219.97789ac-3.11.1
- (no CPE)range: < 8.0+git.1555450219.97789ac-3.11.1
- (no CPE)range: < 8.0+git.1555450207.a7d3bfe-3.12.1
- (no CPE)range: < 8.0+git.1555450207.a7d3bfe-3.12.1
- (no CPE)range: < 8.0+git.1554732431.8f9dd50-3.15.1
- (no CPE)range: < 8.0+git.1554732431.8f9dd50-3.15.1
- (no CPE)range: < 8.0+git.1557418274.fb273dd-3.27.1
- (no CPE)range: < 8.0+git.1557418274.fb273dd-3.27.1
- (no CPE)range: < 8.0+git.1534266893.1d69df7-3.6.1
- (no CPE)range: < 8.0+git.1534266893.1d69df7-3.6.1
- (no CPE)range: < 8.0+git.1554915846.db23473-3.24.1
- (no CPE)range: < 8.0+git.1554915846.db23473-3.24.1
- (no CPE)range: < 8.0+git.1544117621.1c9a954-3.18.1
- (no CPE)range: < 8.0+git.1544117621.1c9a954-3.18.1
- (no CPE)range: < 8.0+git.1555450198.c42dc52-3.6.1
- (no CPE)range: < 8.0+git.1555450198.c42dc52-3.6.1
- (no CPE)range: < 8.0+git.1551748668.7427826-1.18.1
- (no CPE)range: < 8.0+git.1551748668.7427826-1.18.1
- (no CPE)range: < 8.0+git.1534266982.498c352-3.6.1
- (no CPE)range: < 8.0+git.1534266982.498c352-3.6.1
- (no CPE)range: < 8.0+git.1557856965.bde9eb2-3.18.1
- (no CPE)range: < 8.0+git.1557856965.bde9eb2-3.18.1
- (no CPE)range: < 8.0+git.1534267017.4bbecd9-3.9.1
- (no CPE)range: < 8.0+git.1534267017.4bbecd9-3.9.1
- (no CPE)range: < 8.0+git.1549882721.b2e8873-3.13.1
- (no CPE)range: < 8.0+git.1549882721.b2e8873-3.13.1
- (no CPE)range: < 8.0+git.1557523208.81aa1da-3.30.1
- (no CPE)range: < 8.0+git.1557523208.81aa1da-3.30.1
- (no CPE)range: < 8.0+git.1559253853.bb932ea-3.29.1
- (no CPE)range: < 8.0+git.1559253853.bb932ea-3.29.1
- (no CPE)range: < 8.0+git.1557523035.ab44613-3.17.1
- (no CPE)range: < 8.0+git.1557523035.ab44613-3.17.1
- (no CPE)range: < 8.0+git.1534267103.829be13-3.10.1
- (no CPE)range: < 8.0+git.1534267103.829be13-3.10.1
- (no CPE)range: < 8.0+git.1537201508.68c32e6-3.16.1
- (no CPE)range: < 8.0+git.1537201508.68c32e6-3.16.1
- (no CPE)range: < 8.0+git.1557503482.852ec24-3.36.1
- (no CPE)range: < 8.0+git.1557503482.852ec24-3.36.1
- (no CPE)range: < 8.0+git.1544119019.e68516a-3.17.1
- (no CPE)range: < 8.0+git.1544119019.e68516a-3.17.1
- (no CPE)range: < 8.0+git.1551382173.a81d5e1-3.26.1
- (no CPE)range: < 8.0+git.1551382173.a81d5e1-3.26.1
- (no CPE)range: < 8.0+git.1554912320.73ad306-1.20.1
- (no CPE)range: < 8.0+git.1554912320.73ad306-1.20.1
- (no CPE)range: < 8.0+git.1539709555.5b31c25-3.12.1
- (no CPE)range: < 8.0+git.1539709555.5b31c25-3.12.1
- (no CPE)range: < 8.0+git.1551502730.f4d219d-3.27.1
- (no CPE)range: < 8.0+git.1551502730.f4d219d-3.27.1
- (no CPE)range: < 8.0+git.1557761054.b971c8f-3.21.1
- (no CPE)range: < 8.0+git.1557761054.b971c8f-3.21.1
- (no CPE)range: < 8.0+git.1534267264.6b1e899-3.6.1
- (no CPE)range: < 8.0+git.1534267264.6b1e899-3.6.1
- (no CPE)range: < 5.0-10.6.3
- (no CPE)range: < 5.0+git.1558533551.8d8ed2058-3.23.1
- (no CPE)range: < 5.0+git.1559282566.6b06ca3-3.17.1
- (no CPE)range: < 5.0+git.1559335140.62bb4c014-4.25.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 8.20190521-1.17.1
- (no CPE)range: < 5.1.1~dev7-3.11.2
- (no CPE)range: < 5.1.1~dev7-3.11.2
- (no CPE)range: < 5.1.1~dev7-3.11.2
- (no CPE)range: < 5.1.1~dev7-3.11.1
- (no CPE)range: < 5.1.1~dev7-3.11.1
- (no CPE)range: < 5.1.1~dev7-3.11.1
- (no CPE)range: < 5.0.2~dev3-3.14.2
- (no CPE)range: < 5.0.2~dev3-3.14.2
- (no CPE)range: < 5.0.2~dev3-3.14.2
- (no CPE)range: < 5.0.2~dev3-3.14.1
- (no CPE)range: < 5.0.2~dev3-3.14.1
- (no CPE)range: < 5.0.2~dev3-3.14.1
- (no CPE)range: < 9.0.8~dev7-3.12.2
- (no CPE)range: < 9.0.8~dev7-3.12.2
- (no CPE)range: < 9.0.8~dev7-3.12.2
- (no CPE)range: < 9.0.8~dev7-3.12.1
- (no CPE)range: < 9.0.8~dev7-3.12.1
- (no CPE)range: < 9.0.8~dev7-3.12.1
- (no CPE)range: < 11.2.3~dev5-3.15.2
- (no CPE)range: < 11.2.3~dev5-3.15.2
- (no CPE)range: < 11.2.3~dev5-3.15.2
- (no CPE)range: < 11.2.3~dev5-3.15.1
- (no CPE)range: < 11.2.3~dev5-3.15.1
- (no CPE)range: < 11.2.3~dev5-3.15.1
- (no CPE)range: < 12.0.4~dev6-3.20.2
- (no CPE)range: < 12.0.4~dev6-3.20.2
- (no CPE)range: < 12.0.4~dev6-3.20.2
- (no CPE)range: < 2017.2+git.1554906711.9dbe79b-7.11.1
- (no CPE)range: < 2017.2+git.1554906711.9dbe79b-7.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 5.0.3~dev7-3.11.1
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 9.0.8~dev3-3.18.2
- (no CPE)range: < 7.0.1~dev1-3.3.1
- (no CPE)range: < 7.0.1~dev1-3.3.1
- (no CPE)range: < 7.0.1~dev1-3.3.1
- (no CPE)range: < 9.0.1~dev10-3.9.1
- (no CPE)range: < 9.0.1~dev10-3.9.1
- (no CPE)range: < 9.0.1~dev10-3.9.1
- (no CPE)range: < 9.1.8~dev5-3.18.2
- (no CPE)range: < 9.1.8~dev5-3.18.2
- (no CPE)range: < 9.1.8~dev5-3.18.2
- (no CPE)range: < 9.1.8~dev5-3.18.1
- (no CPE)range: < 9.1.8~dev5-3.18.1
- (no CPE)range: < 9.1.8~dev5-3.18.1
- (no CPE)range: < 12.0.4~dev2-5.19.2
- (no CPE)range: < 12.0.4~dev2-5.19.2
- (no CPE)range: < 12.0.4~dev2-5.19.2
- (no CPE)range: < 12.0.4~dev2-5.19.1
- (no CPE)range: < 12.0.4~dev2-5.19.1
- (no CPE)range: < 12.0.4~dev2-5.19.1
- (no CPE)range: < 2.2.5~dev2-3.9.2
- (no CPE)range: < 2.2.5~dev2-3.9.2
- (no CPE)range: < 2.2.5~dev2-3.9.2
- (no CPE)range: < 2.2.1~dev26-3.12.2
- (no CPE)range: < 2.2.1~dev26-3.12.2
- (no CPE)range: < 2.2.1~dev26-3.12.2
- (no CPE)range: < 2.3.1~dev12-3.6.2
- (no CPE)range: < 2.3.1~dev12-3.6.2
- (no CPE)range: < 2.3.1~dev12-3.6.2
- (no CPE)range: < 11.0.9~dev28-3.18.2
- (no CPE)range: < 11.0.9~dev28-3.18.2
- (no CPE)range: < 11.0.9~dev28-3.18.2
- (no CPE)range: < 11.0.9~dev28-3.18.1
- (no CPE)range: < 11.0.9~dev28-3.18.1
- (no CPE)range: < 11.0.9~dev28-3.18.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 11.0.3~dev1-3.14.1
- (no CPE)range: < 7.3.1~dev28-3.3.1
- (no CPE)range: < 7.3.1~dev28-3.3.1
- (no CPE)range: < 7.3.1~dev28-3.3.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.4~dev6-3.9.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 11.0.1~dev5-3.12.1
- (no CPE)range: < 16.1.9~dev3-3.23.2
- (no CPE)range: < 16.1.9~dev3-3.23.2
- (no CPE)range: < 16.1.9~dev3-3.23.2
- (no CPE)range: < 16.1.9~dev3-3.23.1
- (no CPE)range: < 16.1.9~dev3-3.23.1
- (no CPE)range: < 16.1.9~dev3-3.23.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0.1~dev13-3.9.1
- (no CPE)range: < 8.0+git.1534266236.fb1623c-6.9.1
- (no CPE)range: < 8.0+git.1534266236.fb1623c-6.9.1
- (no CPE)range: < 0.0.2+git.1541444073.4d3347c-3.6.1
- (no CPE)range: < 0.0.2+git.1541444073.4d3347c-3.6.1
- (no CPE)range: < 2.8.3-3.6.2
- (no CPE)range: < 2.8.3-3.6.2
- (no CPE)range: < 2.8.3-3.6.2
- (no CPE)range: < 1.11.15-bp150.3.3.1
- (no CPE)range: < 1.11.11-3.3.1
- (no CPE)range: < 1.11.11-3.3.1
- (no CPE)range: < 1.11.11-3.3.1
- (no CPE)range: < 1.11.15-11.1
- (no CPE)range: < 1.11.15-2.1
- (no CPE)range: < 1.5.1-3.3.2
- (no CPE)range: < 1.5.1-3.3.2
- (no CPE)range: < 1.5.1-3.3.2
- (no CPE)range: < 1.17.2-3.3.1
- (no CPE)range: < 1.17.2-3.3.1
- (no CPE)range: < 1.17.2-3.3.1
- (no CPE)range: < 2.7.1-3.3.1
- (no CPE)range: < 2.7.1-3.3.1
- (no CPE)range: < 2.7.1-3.3.1
- (no CPE)range: < 1.17.4-3.6.1
- (no CPE)range: < 1.17.4-3.6.1
- (no CPE)range: < 1.17.4-3.6.1
- (no CPE)range: < 0.14.1-3.3.1
- (no CPE)range: < 0.14.1-3.3.1
- (no CPE)range: < 0.14.1-3.3.1
- (no CPE)range: < 9.1.3-3.6.2
- (no CPE)range: < 9.1.3-3.6.2
- (no CPE)range: < 9.1.3-3.6.2
- (no CPE)range: < 3.12.2-3.3.1
- (no CPE)range: < 3.12.2-3.3.1
- (no CPE)range: < 3.12.2-3.3.1
- (no CPE)range: < 1.15.9-3.6.2
- (no CPE)range: < 1.15.9-3.6.2
- (no CPE)range: < 1.15.9-3.6.2
- (no CPE)range: < 1.28.1-3.3.1
- (no CPE)range: < 1.28.1-3.3.1
- (no CPE)range: < 1.28.1-3.3.1
- (no CPE)range: < 1.25.2-3.3.1
- (no CPE)range: < 1.25.2-3.3.1
- (no CPE)range: < 1.25.2-3.3.1
- (no CPE)range: < 3.21.2-3.3.1
- (no CPE)range: < 3.21.2-3.3.1
- (no CPE)range: < 3.21.2-3.3.1
- (no CPE)range: < 4.11.2-3.3.1
- (no CPE)range: < 4.11.2-3.3.1
- (no CPE)range: < 4.11.2-3.3.1
- (no CPE)range: < 3.17.2-3.3.2
- (no CPE)range: < 3.17.2-3.3.2
- (no CPE)range: < 3.17.2-3.3.2
- (no CPE)range: < 3.30.3-3.3.1
- (no CPE)range: < 3.30.3-3.3.1
- (no CPE)range: < 3.30.3-3.3.1
- (no CPE)range: < 5.30.8-3.8.1
- (no CPE)range: < 5.30.8-3.8.1
- (no CPE)range: < 5.30.8-3.8.1
- (no CPE)range: < 3.30.2-3.3.1
- (no CPE)range: < 3.30.2-3.3.1
- (no CPE)range: < 3.30.2-3.3.1
- (no CPE)range: < 1.25.4-3.6.1
- (no CPE)range: < 1.25.4-3.6.1
- (no CPE)range: < 1.25.4-3.6.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 1.22.2-3.3.1
- (no CPE)range: < 2.17.2-3.3.1
- (no CPE)range: < 2.17.2-3.3.1
- (no CPE)range: < 2.17.2-3.3.1
- (no CPE)range: < 3.28.4-3.6.1
- (no CPE)range: < 3.28.4-3.6.1
- (no CPE)range: < 3.28.4-3.6.1
- (no CPE)range: < 1.26.3-3.6.1
- (no CPE)range: < 1.26.3-3.6.1
- (no CPE)range: < 1.26.3-3.6.1
- (no CPE)range: < 2.23.2-3.3.1
- (no CPE)range: < 2.23.2-3.3.1
- (no CPE)range: < 2.23.2-3.3.1
- (no CPE)range: < 1.7.2-3.3.2
- (no CPE)range: < 1.7.2-3.3.2
- (no CPE)range: < 1.7.2-3.3.2
- (no CPE)range: < 2.2.1-3.3.1
- (no CPE)range: < 2.2.1-3.3.1
- (no CPE)range: < 2.2.1-3.3.1
- (no CPE)range: < 1.2.0-4.3.1
- (no CPE)range: < 1.2.0-4.3.1
- (no CPE)range: < 1.2.0-4.3.1
- (no CPE)range: < 1.3.1-3.3.1
- (no CPE)range: < 1.3.1-3.3.1
- (no CPE)range: < 1.3.1-3.3.1
- (no CPE)range: < 3.4.1-3.3.1
- (no CPE)range: < 3.4.1-3.3.1
- (no CPE)range: < 3.4.1-3.3.1
- (no CPE)range: < 1.7.1-3.3.1
- (no CPE)range: < 1.7.1-3.3.1
- (no CPE)range: < 1.7.1-3.3.1
- (no CPE)range: < 8.0.1551262227.7a7deb6-3.3.1
- (no CPE)range: < 8.0.1551262227.7a7deb6-3.3.1
- (no CPE)range: < 8.0.1551262227.7a7deb6-3.3.1
- (no CPE)range: < 5.1.1~dev7-12.16.1
- (no CPE)range: < 5.1.1~dev7-12.16.1
- (no CPE)range: < 5.0.2~dev3-12.17.1
- (no CPE)range: < 5.0.2~dev3-12.17.1
- (no CPE)range: < 9.0.8~dev7-12.14.1
- (no CPE)range: < 9.0.8~dev7-12.14.1
- (no CPE)range: < 11.2.3~dev5-14.17.1
- (no CPE)range: < 11.2.3~dev5-14.17.1
- (no CPE)range: < 5.0.3~dev7-12.15.1
- (no CPE)range: < 5.0.3~dev7-12.15.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.12.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.12.1
- (no CPE)range: < 15.0.2~dev9-12.15.1
- (no CPE)range: < 15.0.2~dev9-12.15.1
- (no CPE)range: < 9.0.8~dev3-12.17.1
- (no CPE)range: < 9.0.8~dev3-12.17.1
- (no CPE)range: < 12.0.4~dev6-14.22.1
- (no CPE)range: < 12.0.4~dev6-14.22.1
- (no CPE)range: < 9.1.8~dev5-12.17.1
- (no CPE)range: < 9.1.8~dev5-12.17.1
- (no CPE)range: < 12.0.4~dev2-11.17.1
- (no CPE)range: < 12.0.4~dev2-11.17.1
- (no CPE)range: < 5.0.2-11.15.1
- (no CPE)range: < 5.0.2-11.15.1
- (no CPE)range: < 5.0.4~dev17-12.19.1
- (no CPE)range: < 5.0.4~dev17-12.19.1
- (no CPE)range: < 1.5.1-8.11.1
- (no CPE)range: < 1.5.1-8.11.1
- (no CPE)range: < 2.2.1-11.13.1
- (no CPE)range: < 2.2.1-11.13.1
- (no CPE)range: < 4.0.1-12.11.1
- (no CPE)range: < 4.0.1-12.11.1
- (no CPE)range: < 11.0.2-13.19.1
- (no CPE)range: < 11.0.2-13.19.1
- (no CPE)range: < 16.1.9~dev3-11.18.1
- (no CPE)range: < 16.1.9~dev3-11.18.1
- (no CPE)range: < 1.0.5~dev1-12.17.1
- (no CPE)range: < 1.0.5~dev1-12.17.1
- (no CPE)range: < 7.0.4~dev1-11.16.1
- (no CPE)range: < 7.0.4~dev1-11.16.1
- (no CPE)range: < 2.15.2-11.11.1
- (no CPE)range: < 2.15.2-11.11.1
- (no CPE)range: < 8.0.1~dev13-11.16.1
- (no CPE)range: < 8.0.1~dev13-11.16.1

Patches

b83b44f40ca1

[2.0.x] Bumped version for 2.0.8 release.

https://github.com/django/djangoTim GrahamAug 1, 2018via osv

commit

1 file changed · +1 −1

django/__init__.py+1 −1 modified

@@ -1,6 +1,6 @@
 from django.utils.version import get_version
 
-VERSION = (2, 0, 8, 'alpha', 0)
+VERSION = (2, 0, 8, 'final', 0)
 
 __version__ = get_version(VERSION)

6010da2fbda5

[1.11.x] Bumped version for 1.11.15 release.

https://github.com/django/djangoTim GrahamAug 1, 2018via osv

commit

1 file changed · +1 −1

django/__init__.py+1 −1 modified

@@ -2,7 +2,7 @@
 
 from django.utils.version import get_version
 
-VERSION = (1, 11, 15, 'alpha', 0)
+VERSION = (1, 11, 15, 'final', 0)
 
 __version__ = get_version(VERSION)

6fffc3c6d420

[2.0.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

https://github.com/django/djangoAndreas HugJul 24, 2018via ghsa

commit

8 files changed · +78 −8

django/middleware/common.py+3 −0 modified

@@ -11,6 +11,7 @@
     cc_delim_re, get_conditional_response, set_response_etag,
 )
 from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning
+from django.utils.http import escape_leading_slashes
 
 
 class CommonMiddleware(MiddlewareMixin):
@@ -88,6 +89,8 @@ def get_full_path_with_slash(self, request):
         POST, PUT, or PATCH.
         """
         new_path = request.get_full_path(force_append_slash=True)
+        # Prevent construction of scheme relative urls.
+        new_path = escape_leading_slashes(new_path)
         if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
             raise RuntimeError(
                 "You called this URL via %(method)s, but the URL doesn't end "

django/urls/resolvers.py+2 −4 modified

@@ -17,7 +17,7 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.utils.datastructures import MultiValueDict
 from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS
+from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes
 from django.utils.regex_helper import normalize
 from django.utils.translation import get_language
 
@@ -604,9 +604,7 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
                     # safe characters from `pchar` definition of RFC 3986
                     url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@')
                     # Don't allow construction of scheme relative urls.
-                    if url.startswith('//'):
-                        url = '/%%2F%s' % url[2:]
-                    return url
+                    return escape_leading_slashes(url)
         # lookup_view can be URL name or callable, but callables are not
         # friendly in error messages.
         m = getattr(lookup_view, '__module__', None)

django/utils/http.py+11 −0 modified

@@ -437,3 +437,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
             value = unquote(value, encoding=encoding, errors=errors)
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url

docs/releases/1.11.15.txt+13 −0 modified

@@ -5,3 +5,16 @@ Django 1.11.15 release notes
 *August 1, 2018*
 
 Django 1.11.15 fixes a security issue in 1.11.14.
+
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.

docs/releases/2.0.8.txt+13 −0 modified

@@ -6,6 +6,19 @@ Django 2.0.8 release notes
 
 Django 2.0.8 fixes a security issue and several bugs in 2.0.7.
 
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
+
 Bugfixes
 ========

tests/middleware/tests.py+19 −0 modified

@@ -133,6 +133,25 @@ def test_append_slash_quoted(self):
         self.assertEqual(r.status_code, 301)
         self.assertEqual(r.url, '/needsquoting%23/')
 
+    @override_settings(APPEND_SLASH=True)
+    def test_append_slash_leading_slashes(self):
+        """
+        Paths starting with two slashes are escaped to prevent open redirects.
+        If there's a URL pattern that allows paths to start with two slashes, a
+        request with path //evil.com must not redirect to //evil.com/ (appended
+        slash) which is a schemaless absolute URL. The browser would navigate
+        to evil.com/.
+        """
+        # Use 4 slashes because of RequestFactory behavior.
+        request = self.rf.get('////evil.com/security')
+        response = HttpResponseNotFound()
+        r = CommonMiddleware().process_request(request)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+        r = CommonMiddleware().process_response(request, response)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+
     @override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
     def test_prepend_www(self):
         request = self.rf.get('/path/')

tests/middleware/urls.py+2 −0 modified

@@ -6,4 +6,6 @@
     url(r'^noslash$', views.empty_view),
     url(r'^slash/$', views.empty_view),
     url(r'^needsquoting#/$', views.empty_view),
+    # Accepts paths with two leading slashes.
+    url(r'^(.+)/security/$', views.empty_view),
 ]

tests/utils_tests/test_http.py+15 −4 modified

@@ -6,10 +6,10 @@
 from django.utils.datastructures import MultiValueDict
 from django.utils.deprecation import RemovedInDjango21Warning
 from django.utils.http import (
-    base36_to_int, cookie_date, http_date, int_to_base36, is_safe_url,
-    is_same_domain, parse_etags, parse_http_date, quote_etag, urlencode,
-    urlquote, urlquote_plus, urlsafe_base64_decode, urlsafe_base64_encode,
-    urlunquote, urlunquote_plus,
+    base36_to_int, cookie_date, escape_leading_slashes, http_date,
+    int_to_base36, is_safe_url, is_same_domain, parse_etags, parse_http_date,
+    quote_etag, urlencode, urlquote, urlquote_plus, urlsafe_base64_decode,
+    urlsafe_base64_encode, urlunquote, urlunquote_plus,
 )
 
 
@@ -275,3 +275,14 @@ def test_parsing_rfc850(self):
     def test_parsing_asctime(self):
         parsed = parse_http_date('Sun Nov  6 08:49:37 1994')
         self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
+
+
+class EscapeLeadingSlashesTests(unittest.TestCase):
+    def test(self):
+        tests = (
+            ('//example.com', '/%2Fexample.com'),
+            ('//', '/%2F'),
+        )
+        for url, expected in tests:
+            with self.subTest(url=url):
+                self.assertEqual(escape_leading_slashes(url), expected)

d6eaee092709

[1.11.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

https://github.com/django/djangoAndreas HugJul 24, 2018via ghsa

commit

7 files changed · +62 −4

django/middleware/common.py+3 −0 modified

@@ -11,6 +11,7 @@
 )
 from django.utils.deprecation import MiddlewareMixin, RemovedInDjango21Warning
 from django.utils.encoding import force_text
+from django.utils.http import escape_leading_slashes
 from django.utils.six.moves.urllib.parse import urlparse
 
 
@@ -90,6 +91,8 @@ def get_full_path_with_slash(self, request):
         POST, PUT, or PATCH.
         """
         new_path = request.get_full_path(force_append_slash=True)
+        # Prevent construction of scheme relative urls.
+        new_path = escape_leading_slashes(new_path)
         if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
             raise RuntimeError(
                 "You called this URL via %(method)s, but the URL doesn't end "

django/urls/resolvers.py+4 −4 modified

@@ -20,7 +20,9 @@
 from django.utils.datastructures import MultiValueDict
 from django.utils.encoding import force_str, force_text
 from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS, urlquote
+from django.utils.http import (
+    RFC3986_SUBDELIMS, escape_leading_slashes, urlquote,
+)
 from django.utils.regex_helper import normalize
 from django.utils.translation import get_language
 
@@ -465,9 +467,7 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
                     # safe characters from `pchar` definition of RFC 3986
                     url = urlquote(candidate_pat % candidate_subs, safe=RFC3986_SUBDELIMS + str('/~:@'))
                     # Don't allow construction of scheme relative urls.
-                    if url.startswith('//'):
-                        url = '/%%2F%s' % url[2:]
-                    return url
+                    return escape_leading_slashes(url)
         # lookup_view can be URL name or callable, but callables are not
         # friendly in error messages.
         m = getattr(lookup_view, '__module__', None)

django/utils/http.py+11 −0 modified

@@ -466,3 +466,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
                 value = unquote(nv[1].replace(b'+', b' '))
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url

docs/releases/1.11.15.txt+13 −0 modified

@@ -5,3 +5,16 @@ Django 1.11.15 release notes
 *August 1, 2018*
 
 Django 1.11.15 fixes a security issue in 1.11.14.
+
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.

tests/middleware/tests.py+19 −0 modified

@@ -137,6 +137,25 @@ def test_append_slash_quoted(self):
         self.assertEqual(r.status_code, 301)
         self.assertEqual(r.url, '/needsquoting%23/')
 
+    @override_settings(APPEND_SLASH=True)
+    def test_append_slash_leading_slashes(self):
+        """
+        Paths starting with two slashes are escaped to prevent open redirects.
+        If there's a URL pattern that allows paths to start with two slashes, a
+        request with path //evil.com must not redirect to //evil.com/ (appended
+        slash) which is a schemaless absolute URL. The browser would navigate
+        to evil.com/.
+        """
+        # Use 4 slashes because of RequestFactory behavior.
+        request = self.rf.get('////evil.com/security')
+        response = HttpResponseNotFound()
+        r = CommonMiddleware().process_request(request)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+        r = CommonMiddleware().process_response(request, response)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+
     @override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
     def test_prepend_www(self):
         request = self.rf.get('/path/')

tests/middleware/urls.py+2 −0 modified

@@ -6,4 +6,6 @@
     url(r'^noslash$', views.empty_view),
     url(r'^slash/$', views.empty_view),
     url(r'^needsquoting#/$', views.empty_view),
+    # Accepts paths with two leading slashes.
+    url(r'^(.+)/security/$', views.empty_view),
 ]

tests/utils_tests/test_http.py+10 −0 modified

@@ -248,3 +248,13 @@ def test_parsing_rfc850(self):
     def test_parsing_asctime(self):
         parsed = http.parse_http_date('Sun Nov  6 08:49:37 1994')
         self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
+
+
+class EscapeLeadingSlashesTests(unittest.TestCase):
+    def test(self):
+        tests = (
+            ('//example.com', '/%2Fexample.com'),
+            ('//', '/%2F'),
+        )
+        for url, expected in tests:
+            self.assertEqual(http.escape_leading_slashes(url), expected)

c4e5ff7fdb5f

[2.1.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

https://github.com/django/djangoAndreas HugJul 24, 2018via ghsa

commit

8 files changed · +78 −8

django/middleware/common.py+3 −0 modified

@@ -7,6 +7,7 @@
 from django.http import HttpResponsePermanentRedirect
 from django.urls import is_valid_path
 from django.utils.deprecation import MiddlewareMixin
+from django.utils.http import escape_leading_slashes
 
 
 class CommonMiddleware(MiddlewareMixin):
@@ -79,6 +80,8 @@ def get_full_path_with_slash(self, request):
         POST, PUT, or PATCH.
         """
         new_path = request.get_full_path(force_append_slash=True)
+        # Prevent construction of scheme relative urls.
+        new_path = escape_leading_slashes(new_path)
         if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
             raise RuntimeError(
                 "You called this URL via %(method)s, but the URL doesn't end "

django/urls/resolvers.py+2 −4 modified

@@ -17,7 +17,7 @@
 from django.core.exceptions import ImproperlyConfigured
 from django.utils.datastructures import MultiValueDict
 from django.utils.functional import cached_property
-from django.utils.http import RFC3986_SUBDELIMS
+from django.utils.http import RFC3986_SUBDELIMS, escape_leading_slashes
 from django.utils.regex_helper import normalize
 from django.utils.translation import get_language
 
@@ -592,9 +592,7 @@ def _reverse_with_prefix(self, lookup_view, _prefix, *args, **kwargs):
                     # safe characters from `pchar` definition of RFC 3986
                     url = quote(candidate_pat % text_candidate_subs, safe=RFC3986_SUBDELIMS + '/~:@')
                     # Don't allow construction of scheme relative urls.
-                    if url.startswith('//'):
-                        url = '/%%2F%s' % url[2:]
-                    return url
+                    return escape_leading_slashes(url)
         # lookup_view can be URL name or callable, but callables are not
         # friendly in error messages.
         m = getattr(lookup_view, '__module__', None)

django/utils/http.py+11 −0 modified

@@ -433,3 +433,14 @@ def limited_parse_qsl(qs, keep_blank_values=False, encoding='utf-8',
             value = unquote(value, encoding=encoding, errors=errors)
             r.append((name, value))
     return r
+
+
+def escape_leading_slashes(url):
+    """
+    If redirecting to an absolute path (two leading slashes), a slash must be
+    escaped to prevent browsers from handling the path as schemaless and
+    redirecting to another host.
+    """
+    if url.startswith('//'):
+        url = '/%2F{}'.format(url[2:])
+    return url

docs/releases/1.11.15.txt+13 −0 modified

@@ -5,3 +5,16 @@ Django 1.11.15 release notes
 *August 1, 2018*
 
 Django 1.11.15 fixes a security issue in 1.11.14.
+
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.

docs/releases/2.0.8.txt+13 −0 modified

@@ -6,6 +6,19 @@ Django 2.0.8 release notes
 
 Django 2.0.8 fixes a security issue and several bugs in 2.0.7.
 
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
+
 Bugfixes
 ========

tests/middleware/tests.py+19 −0 modified

@@ -130,6 +130,25 @@ def test_append_slash_quoted(self):
         self.assertEqual(r.status_code, 301)
         self.assertEqual(r.url, '/needsquoting%23/')
 
+    @override_settings(APPEND_SLASH=True)
+    def test_append_slash_leading_slashes(self):
+        """
+        Paths starting with two slashes are escaped to prevent open redirects.
+        If there's a URL pattern that allows paths to start with two slashes, a
+        request with path //evil.com must not redirect to //evil.com/ (appended
+        slash) which is a schemaless absolute URL. The browser would navigate
+        to evil.com/.
+        """
+        # Use 4 slashes because of RequestFactory behavior.
+        request = self.rf.get('////evil.com/security')
+        response = HttpResponseNotFound()
+        r = CommonMiddleware().process_request(request)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+        r = CommonMiddleware().process_response(request, response)
+        self.assertEqual(r.status_code, 301)
+        self.assertEqual(r.url, '/%2Fevil.com/security/')
+
     @override_settings(APPEND_SLASH=False, PREPEND_WWW=True)
     def test_prepend_www(self):
         request = self.rf.get('/path/')

tests/middleware/urls.py+2 −0 modified

@@ -6,4 +6,6 @@
     url(r'^noslash$', views.empty_view),
     url(r'^slash/$', views.empty_view),
     url(r'^needsquoting#/$', views.empty_view),
+    # Accepts paths with two leading slashes.
+    url(r'^(.+)/security/$', views.empty_view),
 ]

tests/utils_tests/test_http.py+15 −4 modified

@@ -5,10 +5,10 @@
 from django.utils.datastructures import MultiValueDict
 from django.utils.deprecation import RemovedInDjango30Warning
 from django.utils.http import (
-    base36_to_int, cookie_date, http_date, int_to_base36, is_safe_url,
-    is_same_domain, parse_etags, parse_http_date, quote_etag, urlencode,
-    urlquote, urlquote_plus, urlsafe_base64_decode, urlsafe_base64_encode,
-    urlunquote, urlunquote_plus,
+    base36_to_int, cookie_date, escape_leading_slashes, http_date,
+    int_to_base36, is_safe_url, is_same_domain, parse_etags, parse_http_date,
+    quote_etag, urlencode, urlquote, urlquote_plus, urlsafe_base64_decode,
+    urlsafe_base64_encode, urlunquote, urlunquote_plus,
 )
 
 
@@ -271,3 +271,14 @@ def test_parsing_rfc850(self):
     def test_parsing_asctime(self):
         parsed = parse_http_date('Sun Nov  6 08:49:37 1994')
         self.assertEqual(datetime.utcfromtimestamp(parsed), datetime(1994, 11, 6, 8, 49, 37))
+
+
+class EscapeLeadingSlashesTests(unittest.TestCase):
+    def test(self):
+        tests = (
+            ('//example.com', '/%2Fexample.com'),
+            ('//', '/%2F'),
+        )
+        for url, expected in tests:
+            with self.subTest(url=url):
+                self.assertEqual(escape_leading_slashes(url), expected)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:0265ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-5hg3-6c2f-f3wrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-14574ghsaADVISORY
usn.ubuntu.com/3726-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2018/dsa-4264ghsavendor-advisoryx_refsource_DEBIANWEB
www.securityfocus.com/bid/104970mitrevdb-entryx_refsource_BID
www.securitytracker.com/id/1041403mitrevdb-entryx_refsource_SECTRACK
github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525ghsaWEB
github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3cghsaWEB
github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ffghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-2.yamlghsaWEB
usn.ubuntu.com/3726-1ghsaWEB
web.archive.org/web/20190901075632/http://www.securitytracker.com/id/1041403ghsaWEB
web.archive.org/web/20200227115315/http://www.securityfocus.com/bid/104970ghsaWEB
www.djangoproject.com/weblog/2018/aug/01/security-releasesghsaWEB
www.djangoproject.com/weblog/2018/aug/01/security-releases/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.010
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000