{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"low"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2017-7233","title":"Title"},{"category":"description","text":"Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2017-7233","url":"https://www.suse.com/security/cve/CVE-2017-7233"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1031450 for CVE-2017-7233","url":"https://bugzilla.suse.com/1031450"},{"category":"external","summary":"Advisory link for SUSE-SU-2018:0973-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html"},{"category":"external","summary":"Advisory link for SUSE-SU-2018:1102-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html"},{"category":"external","summary":"Advisory link for openSUSE-SU-2023:0077-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/"}],"title":"SUSE CVE CVE-2017-7233","tracking":{"current_release_date":"2026-01-04T00:38:30Z","generator":{"date":"2023-02-15T04:48:08Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2017-7233","initial_release_date":"2023-02-15T04:48:08Z","revision_history":[{"date":"2023-02-15T04:48:08Z","number":"2","summary":"Current version"},{"date":"2023-03-21T03:48:06Z","number":"3","summary":"Current version"},{"date":"2023-12-08T04:25:51Z","number":"4","summary":"Current version"},{"date":"2024-07-20T04:28:08Z","number":"5","summary":"Current version"},{"date":"2025-01-01T09:03:52Z","number":"6","summary":"Current version"},{"date":"2025-02-08T06:31:47Z","number":"7","summary":"Current version"},{"date":"2025-03-16T03:12:53Z","number":"8","summary":"Current version"},{"date":"2025-04-25T08:12:53Z","number":"9","summary":"Current version"},{"date":"2025-10-07T10:33:35Z","number":"10","summary":"Current version"},{"date":"2026-01-04T00:38:30Z","number":"11","summary":"more updates released"}],"status":"interim","version":"11"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE OpenStack Cloud 6","product":{"name":"SUSE OpenStack Cloud 6","product_id":"SUSE OpenStack Cloud 6","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:6"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 7","product":{"name":"SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:7"}}},{"category":"product_name","name":"SUSE Package Hub 12","product":{"name":"SUSE Package Hub 12","product_id":"SUSE Package Hub 12","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:12"}}},{"category":"product_name","name":"SUSE Package Hub 12 SP1","product":{"name":"SUSE Package Hub 12 SP1","product_id":"SUSE Package Hub 12 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:packagehub:12:sp1"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"python-Django-1.11.10-5.1","product":{"name":"python-Django-1.11.10-5.1","product_id":"python-Django-1.11.10-5.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:1.11.10:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@1.11.10-5.1?upstream=python-Django-1.11.10-5.1.src.rpm"}}},{"category":"product_version","name":"python-Django-1.11.15-2.1","product":{"name":"python-Django-1.11.15-2.1","product_id":"python-Django-1.11.15-2.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:1.11.15:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@1.11.15-2.1?upstream=python-Django-1.11.15-2.1.src.rpm"}}},{"category":"product_version","name":"python-Django-1.8.19-3.4.1","product":{"name":"python-Django-1.8.19-3.4.1","product_id":"python-Django-1.8.19-3.4.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:1.8.19:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@1.8.19-3.4.1?upstream=python-Django-1.8.19-3.4.1.src.rpm"}}},{"category":"product_version","name":"python-Django-1.8.19-3.6.1","product":{"name":"python-Django-1.8.19-3.6.1","product_id":"python-Django-1.8.19-3.6.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:1.8.19:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python-Django@1.8.19-3.6.1?upstream=python-Django-1.8.19-3.6.1.src.rpm"}}},{"category":"product_version","name":"python310-Django-4.2.11-2.1","product":{"name":"python310-Django-4.2.11-2.1","product_id":"python310-Django-4.2.11-2.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:4.2.11:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python310-Django@4.2.11-2.1"}}},{"category":"product_version","name":"python310-Django4-4.2.14-1.1","product":{"name":"python310-Django4-4.2.14-1.1","product_id":"python310-Django4-4.2.14-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python310-Django4@4.2.14-1.1"}}},{"category":"product_version","name":"python311-Django-4.2.11-2.1","product":{"name":"python311-Django-4.2.11-2.1","product_id":"python311-Django-4.2.11-2.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:4.2.11:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python311-Django@4.2.11-2.1?upstream=python-Django-4.2.11-2.1.src.rpm"}}},{"category":"product_version","name":"python311-Django4-4.2.14-1.1","product":{"name":"python311-Django4-4.2.14-1.1","product_id":"python311-Django4-4.2.14-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:4.2.14:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python311-Django4@4.2.14-1.1"}}},{"category":"product_version","name":"python312-Django-4.2.11-2.1","product":{"name":"python312-Django-4.2.11-2.1","product_id":"python312-Django-4.2.11-2.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:4.2.11:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python312-Django@4.2.11-2.1"}}},{"category":"product_version","name":"python312-Django4-4.2.14-1.1","product":{"name":"python312-Django4-4.2.14-1.1","product_id":"python312-Django4-4.2.14-1.1","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:4.2.14:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python312-Django4@4.2.14-1.1"}}},{"category":"product_version","name":"python312-Django6-6.0-1.1","product":{"name":"python312-Django6-6.0-1.1","product_id":"python312-Django6-6.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python312-Django6@6.0-1.1"}}},{"category":"product_version","name":"python313-Django6-6.0-1.1","product":{"name":"python313-Django6-6.0-1.1","product_id":"python313-Django6-6.0-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/python313-Django6@6.0-1.1"}}},{"category":"product_version","name":"python36-Django-3.2.7-2.3","product":{"name":"python36-Django-3.2.7-2.3","product_id":"python36-Django-3.2.7-2.3","product_identification_helper":{"purl":"pkg:rpm/suse/python36-Django@3.2.7-2.3"}}},{"category":"product_version","name":"python38-Django-3.2.7-2.3","product":{"name":"python38-Django-3.2.7-2.3","product_id":"python38-Django-3.2.7-2.3","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:3.2.7:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python38-Django@3.2.7-2.3"}}},{"category":"product_version","name":"python39-Django-3.2.7-2.3","product":{"name":"python39-Django-3.2.7-2.3","product_id":"python39-Django-3.2.7-2.3","product_identification_helper":{"cpe":"cpe:2.3:a:djangoproject:django:3.2.7:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/python39-Django@3.2.7-2.3"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"python-Django-1.8.19-3.6.1 as component of SUSE OpenStack Cloud 6","product_id":"SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1"},"product_reference":"python-Django-1.8.19-3.6.1","relates_to_product_reference":"SUSE OpenStack Cloud 6"},{"category":"default_component_of","full_product_name":{"name":"python-Django-1.8.19-3.4.1 as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1"},"product_reference":"python-Django-1.8.19-3.4.1","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"python-Django-1.11.10-5.1 as component of SUSE Package Hub 12","product_id":"SUSE Package Hub 12:python-Django-1.11.10-5.1"},"product_reference":"python-Django-1.11.10-5.1","relates_to_product_reference":"SUSE Package Hub 12"},{"category":"default_component_of","full_product_name":{"name":"python-Django-1.11.15-2.1 as component of SUSE Package Hub 12 SP1","product_id":"SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1"},"product_reference":"python-Django-1.11.15-2.1","relates_to_product_reference":"SUSE Package Hub 12 SP1"},{"category":"default_component_of","full_product_name":{"name":"python310-Django-4.2.11-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python310-Django-4.2.11-2.1"},"product_reference":"python310-Django-4.2.11-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python310-Django4-4.2.14-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python310-Django4-4.2.14-1.1"},"product_reference":"python310-Django4-4.2.14-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python311-Django-4.2.11-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-Django-4.2.11-2.1"},"product_reference":"python311-Django-4.2.11-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python311-Django4-4.2.14-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python311-Django4-4.2.14-1.1"},"product_reference":"python311-Django4-4.2.14-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-Django-4.2.11-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-Django-4.2.11-2.1"},"product_reference":"python312-Django-4.2.11-2.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-Django4-4.2.14-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-Django4-4.2.14-1.1"},"product_reference":"python312-Django4-4.2.14-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python312-Django6-6.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python312-Django6-6.0-1.1"},"product_reference":"python312-Django6-6.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python313-Django6-6.0-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python313-Django6-6.0-1.1"},"product_reference":"python313-Django6-6.0-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python36-Django-3.2.7-2.3 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python36-Django-3.2.7-2.3"},"product_reference":"python36-Django-3.2.7-2.3","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python38-Django-3.2.7-2.3 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python38-Django-3.2.7-2.3"},"product_reference":"python38-Django-3.2.7-2.3","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"python39-Django-3.2.7-2.3 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:python39-Django-3.2.7-2.3"},"product_reference":"python39-Django-3.2.7-2.3","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2017-7233","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2017-7233"}],"notes":[{"category":"general","text":"Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an \"on success\" URL. The security check for these redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric URLs \"safe\" when they shouldn't be, aka an open redirect vulnerability. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect targets and puts such a URL into a link, they could suffer from an XSS attack.","title":"CVE description"}],"product_status":{"recommended":["SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1","SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1","SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1","SUSE Package Hub 12:python-Django-1.11.10-5.1","openSUSE Tumbleweed:python310-Django-4.2.11-2.1","openSUSE Tumbleweed:python310-Django4-4.2.14-1.1","openSUSE Tumbleweed:python311-Django-4.2.11-2.1","openSUSE Tumbleweed:python311-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django-4.2.11-2.1","openSUSE Tumbleweed:python312-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django6-6.0-1.1","openSUSE Tumbleweed:python313-Django6-6.0-1.1","openSUSE Tumbleweed:python36-Django-3.2.7-2.3","openSUSE Tumbleweed:python38-Django-3.2.7-2.3","openSUSE Tumbleweed:python39-Django-3.2.7-2.3"]},"references":[{"category":"external","summary":"CVE-2017-7233","url":"https://www.suse.com/security/cve/CVE-2017-7233"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1031450 for CVE-2017-7233","url":"https://bugzilla.suse.com/1031450"},{"category":"external","summary":"Advisory link for SUSE-SU-2018:0973-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2018-April/003895.html"},{"category":"external","summary":"Advisory link for SUSE-SU-2018:1102-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2018-April/003965.html"},{"category":"external","summary":"Advisory link for openSUSE-SU-2023:0077-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OGS4NP24275NERRPQV6A6EONV6W3C2SK/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1","SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1","SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1","SUSE Package Hub 12:python-Django-1.11.10-5.1","openSUSE Tumbleweed:python310-Django-4.2.11-2.1","openSUSE Tumbleweed:python310-Django4-4.2.14-1.1","openSUSE Tumbleweed:python311-Django-4.2.11-2.1","openSUSE Tumbleweed:python311-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django-4.2.11-2.1","openSUSE Tumbleweed:python312-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django6-6.0-1.1","openSUSE Tumbleweed:python313-Django6-6.0-1.1","openSUSE Tumbleweed:python36-Django-3.2.7-2.3","openSUSE Tumbleweed:python38-Django-3.2.7-2.3","openSUSE Tumbleweed:python39-Django-3.2.7-2.3"]}],"scores":[{"cvss_v3":{"baseScore":6.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.0"},"products":["SUSE OpenStack Cloud 6:python-Django-1.8.19-3.6.1","SUSE OpenStack Cloud 7:python-Django-1.8.19-3.4.1","SUSE Package Hub 12 SP1:python-Django-1.11.15-2.1","SUSE Package Hub 12:python-Django-1.11.10-5.1","openSUSE Tumbleweed:python310-Django-4.2.11-2.1","openSUSE Tumbleweed:python310-Django4-4.2.14-1.1","openSUSE Tumbleweed:python311-Django-4.2.11-2.1","openSUSE Tumbleweed:python311-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django-4.2.11-2.1","openSUSE Tumbleweed:python312-Django4-4.2.14-1.1","openSUSE Tumbleweed:python312-Django6-6.0-1.1","openSUSE Tumbleweed:python313-Django6-6.0-1.1","openSUSE Tumbleweed:python36-Django-3.2.7-2.3","openSUSE Tumbleweed:python38-Django-3.2.7-2.3","openSUSE Tumbleweed:python39-Django-3.2.7-2.3"]}],"threats":[{"category":"impact","date":"2017-03-29T08:22:06Z","details":"low"}],"title":"CVE-2017-7233"}]}