Lucene search

K

GoogleOSV:GHSA-Q5QW-4364-5HHM

HistoryMay 17, 2022 - 12:48 a.m.

Django Vulnerable to HTTP Response Splitting Attack

2022-05-1700:48:30

Google

osv.dev

15

django

vulnerable

http response splitting

EPSS

0.006

Percentile

78.8%

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

References

lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html

lists.opensuse.org/opensuse-updates/2015-10/msg00043.html

lists.opensuse.org/opensuse-updates/2015-10/msg00046.html

www.debian.org/security/2015/dsa-3305

www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html

www.ubuntu.com/usn/USN-2671-1

github.com/django/django

github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.21.txt#L30-L54

github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a

github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0

github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c

github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649

nvd.nist.gov/vuln/detail/CVE-2015-5144

security.gentoo.org/glsa/201510-06

web.archive.org/web/20150924150801/www.securitytracker.com/id/1032820

web.archive.org/web/20200228050526/www.securityfocus.com/bid/75665

www.djangoproject.com/weblog/2015/jul/08/security-releases

EPSS

0.006

Percentile

78.8%

Related for OSV:GHSA-Q5QW-4364-5HHM

ubuntucve1 cvelist1 cve1 nvd1 prion1 gitlab1 osv3 debiancve1 github1 openvas7 debian2 nessus10 ubuntu1 securityvulns2 mageia1 gentoo1 freebsd1 fedora2 altlinux2