CVE-2011-4139 — Improper Input Validation in Django

CWE-20 — Improper Input Validation CWE-349 — Acceptance of Extraneous Untrusted Data With Trusted Data10 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 29.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedOct 19

Latest updateMay 14

Description

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶PyPIdjangoproject/django1.3 — 1.3.1+1

▶NVDdjangoproject/django1.2.6+18

Patches

Patch: openwall.com ↗Patch: openwall.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

Django Vulnerable to Cache Poisoning↗2022-05-14

▶

OSV

Django Vulnerable to Cache Poisoning↗2022-05-14

▶

OSV

CVE-2011-4139: Django before 1↗2011-10-19

▶

CVEList

CVE-2011-4139: Django before 1↗2011-10-19

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2011-12-09

▶

Debian

CVE-2011-4139: python-django - Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to ...↗2011

▶

💬Community

Bugzilla

Django: Host header poisoning hardening↗2013-02-20

▶

Bugzilla

CVE-2011-4136, CVE-2011-4137, CVE-2011-4138, CVE-2011-4139, CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws [epel-6]↗2011-09-30

▶

Bugzilla

CVE-2011-4136 CVE-2011-4137 CVE-2011-4138 CVE-2011-4139 CVE-2011-4140 Django: v1.3.1, v1.2.7 multiple security flaws↗2011-09-11

▶