CVE-2011-4138 — Improper Input Validation in Django

CWE-20 — Improper Input Validation9 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 29.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 19

Latest updateMay 14

Description

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.3 — 1.3.1+1

▶NVDdjangoproject/django1.2.6+18

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Django Might Allow CSRF Requests via URL Verification↗2022-05-14

▶

GHSA

Django Might Allow CSRF Requests via URL Verification↗2022-05-14

▶

CVEList

CVE-2011-4138: The verify_exists functionality in the URLField implementation in Django before 1↗2011-10-19

▶

OSV

CVE-2011-4138: The verify_exists functionality in the URLField implementation in Django before 1↗2011-10-19

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2011-12-09

▶

Debian

CVE-2011-4138: python-django - The verify_exists functionality in the URLField implementation in Django before ...↗2011

▶

💬Community

Bugzilla

CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]↗2011-09-30

▶

Bugzilla

CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws↗2011-09-11

▶