CVE-2011-4139
published 2011-10-19CVE-2011-4139: Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to…
PriorityP424medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
2.30%
81.2th percentile
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.3.1-1 (bookworm) | python-django 1.3.1-1 (bookworm) |
| djangoproject | django | <= 1.2.6 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.2.7 | 1.2.7 |
| djangoproject | django | >= 1.3 < 1.3.1 | 1.3.1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_ubuntu5.8MEDIUM
vendor_debian5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django Vulnerable to Cache Poisoning
ghsa·2022-05-14
CVE-2011-4139 [HIGH] CWE-20 Django Vulnerable to Cache Poisoning
Django Vulnerable to Cache Poisoning
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
OSV
Django Vulnerable to Cache Poisoning
osv·2022-05-14
CVE-2011-4139 [HIGH] Django Vulnerable to Cache Poisoning
Django Vulnerable to Cache Poisoning
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
OSV
CVE-2011-4139: Django before 1
osv·2011-10-19·CVSS 5.0
CVE-2011-4139 [MEDIUM] CVE-2011-4139: Django before 1
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2011-12-09·CVSS 5.8
CVE-2011-4136 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Applications using Django could be made to crash or expose sensitive
information.
Pall McMillan discovered that Django used the root namespace when storing
cached session data. A remote attacker could exploit this to modify
sessions. (CVE-2011-4136)
Paul McMillan discovered that Django would not timeout on arbitrary URLs
when the application used URLFields. This could be exploited by a remote
attacker to cause a denial of service via resource exhaustion.
(CVE-2011-4137)
Paul McMillan discovered that while Django would check the validity of a
URL via a HEAD request, it would instead use a GET request for the target
of a redirect. This could potentially be used to trigger arbitrary GET
requests via a crafted Location header. (CVE-2011-4138)
It was
Debian
CVE-2011-4139: python-django - Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to ...
vendor_debian·2011·CVSS 5.0
CVE-2011-4139 [MEDIUM] CVE-2011-4139: python-django - Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to ...
Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.
Scope: local
bookworm: resolved (fixed in 1.3.1-1)
bullseye: resolved (fixed in 1.3.1-1)
forky: resolved (fixed in 1.3.1-1)
sid: resolved (fixed in 1.3.1-1)
trixie: resolved (fixed in 1.3.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
Django: Host header poisoning hardening
bugzilla·2013-02-20·CVSS 5.0
[MEDIUM] Django: Host header poisoning hardening
Django: Host header poisoning hardening
James Bennett of Django reports:
Issue: Host header poisoning
Several previous Django security releases have attempted to address persistent issues with the HTTP Host header. Django contains code -- and some functionality shipped with Django itself makes use of that code -- for constructing a fully-qualified URL based on the incoming HTTP request. Depending on configuration, this makes use of the Host header, and so an attacker who can cause a Django application to respond to arbitrary Host headers can cause Django to generate, and display to end users, URLs on arbitrary domains.
Previous iterations of this issue (see CVE-2011-4139 and CVE-2012-4520) have focused on tightening Django's parsing of Host headers, to eliminate various means by which
Bugzilla
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
bugzilla·2011-09-30·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]
epel-6 tracking bug for Django: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
Missed the 1.2.7 errata announcement, my apologies.
---
Django-1.2.7-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/Django-1.2.7-1.el6
---
Package Django-1.2.7-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=ep
Bugzilla
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
bugzilla·2011-09-11·CVSS 5.8
CVE-2011-4136 [MEDIUM] CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws
Multiple security flaws have been recently addressed in the v1.3.1 and v1.2.7 versions of the Django Python Web framework (from [1]):
1, Session manipulation,
2, Denial of service attack via URLField,
3, URLField redirection,
4, Host header cache poisoning,
5, Host header and CSRF,
6, Cross-subdomain CSRF attacks,
7, DEBUG pages and sensitive POST data
References:
[1] https://www.djangoproject.com/weblog/2011/sep/09/
Discussion:
Created attachment 522611
Local text copy of Django upstream archive post from 2011-09-09
---
CVE(s) Request:
[2] http://www.openwall.com/lists/oss-security/2011/09/11/1
---
These issues are scheduled to be addressed in the following releases
http://openwall.com/lists/oss-security/2011/09/11/1http://openwall.com/lists/oss-security/2011/09/13/2http://secunia.com/advisories/46614http://www.debian.org/security/2011/dsa-2332https://bugzilla.redhat.com/show_bug.cgi?id=737366https://hermes.opensuse.org/messages/14700881https://www.djangoproject.com/weblog/2011/sep/09/https://www.djangoproject.com/weblog/2011/sep/10/127/http://openwall.com/lists/oss-security/2011/09/11/1http://openwall.com/lists/oss-security/2011/09/13/2http://secunia.com/advisories/46614http://www.debian.org/security/2011/dsa-2332https://bugzilla.redhat.com/show_bug.cgi?id=737366https://hermes.opensuse.org/messages/14700881https://www.djangoproject.com/weblog/2011/sep/09/https://www.djangoproject.com/weblog/2011/sep/10/127/
2011-10-19
Published