Skip to content

Django Arbitrary Code Execution

High severity GitHub Reviewed Published May 1, 2022 to the GitHub Advisory Database • Updated Jun 12, 2024

Package

pip Django (pip)

Affected versions

= 0.95

Patched versions

1.0

Description

bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.

References

Published by the National Vulnerability Database Jan 23, 2007
Published to the GitHub Advisory Database May 1, 2022
Reviewed May 14, 2024
Last updated Jun 12, 2024

Severity

High

EPSS score

0.965%
(84th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2007-0404

GHSA ID

GHSA-qc99-g3wm-hgxr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.