CVE-2014-0474

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Published: 2014-04-23 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-0474 is rated High Risk (68.8/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 3.96%). High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-0474

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-12-14 5.94% 3.96% -1.97%
2 2025-10-01 6.29% 5.94% -0.36%
3 2025-07-20 6.29%

Full EPSS history (10 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-0474

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 2.0 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 10.0 10.0 [email protected]

Weakness enumeration for CVE-2014-0474

GitHub Security Advisory for CVE-2014-0474

GHSA-wqjj-hx84-v449 · Severity: high · Ecosystem: pip — Django Vulnerable to MySQL Injection

OS Trackers for CVE-2014-0474

vendor priority summary link
debian not yet assigned CVE-2014-0474 not yet assigned priority: Debian including 1 source packages (python-django), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-0474
gentoo normal CVE-2014-0474: 1 GLSA(s) (201406-26), 1 atom(s) (dev-python/django); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2014-0474
redhat medium https://access.redhat.com/security/cve/CVE-2014-0474
ubuntu medium CVE-2014-0474 medium priority: Ubuntu including 1 source packages (python-django), 6 status rows across 6 suites (lucid, precise, quantal, saucy, trusty, upstream): released 6. https://ubuntu.com/security/CVE-2014-0474

Affected software / configurations for CVE-2014-0474

Vendor Product Version Raw CPE
canonical ubuntu_linux 10.04 cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
canonical ubuntu_linux 12.10 cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
canonical ubuntu_linux 13.10 cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
djangoproject django 1.6 cpe:2.3:a:djangoproject:django:1.6:*:*:*:*:*:*:*
djangoproject django 1.6.1 cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
djangoproject django 1.6.2 cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
djangoproject django <= 1.4.10 cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
djangoproject django 1.4 cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*
djangoproject django 1.4.1 cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*
djangoproject django 1.4.2 cpe:2.3:a:djangoproject:django:1.4.2:*:*:*:*:*:*:*
djangoproject django 1.4.3 cpe:2.3:a:djangoproject:django:1.4.3:*:*:*:*:*:*:*
djangoproject django 1.4.4 cpe:2.3:a:djangoproject:django:1.4.4:*:*:*:*:*:*:*
djangoproject django 1.4.5 cpe:2.3:a:djangoproject:django:1.4.5:*:*:*:*:*:*:*
djangoproject django 1.4.6 cpe:2.3:a:djangoproject:django:1.4.6:*:*:*:*:*:*:*
djangoproject django 1.4.7 cpe:2.3:a:djangoproject:django:1.4.7:*:*:*:*:*:*:*
djangoproject django 1.4.8 cpe:2.3:a:djangoproject:django:1.4.8:*:*:*:*:*:*:*
djangoproject django 1.4.9 cpe:2.3:a:djangoproject:django:1.4.9:*:*:*:*:*:*:*
djangoproject django 1.7 cpe:2.3:a:djangoproject:django:1.7:alpha1:*:*:*:*:*:*
djangoproject django 1.7 cpe:2.3:a:djangoproject:django:1.7:alpha2:*:*:*:*:*:*
djangoproject django 1.7 cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
djangoproject django 1.5 cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
djangoproject django 1.5.1 cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
djangoproject django 1.5.2 cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
djangoproject django 1.5.3 cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
djangoproject django 1.5.4 cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
djangoproject django 1.5.5 cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*

References for CVE-2014-0474

cvelogic Threat Intelligence