CVE-2012-4520
published 2012-11-18CVE-2012-4520: The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary…
PriorityP338medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EPSS
3.64%
88.1th percentile
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.4.2-1 (bookworm) | python-django 1.4.2-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.3 < 1.3.4 | 1.3.4 |
| djangoproject | django | >= 1.4 < 1.4.2 | 1.4.2 |
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
vendor_ubuntu6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2013-03-07·CVSS 6.4
CVE-2012-4520 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
James Kettle discovered that Django did not properly filter the Host HTTP
header when processing certain requests. An attacker could exploit this to
generate and display arbitrary URLs to users. Although this issue had been
previously addressed in USN-1632-1, this update adds additional hardening
measures to host header validation. This update also adds a new
ALLOWED_HOSTS setting that can be set to a list of acceptable values for
headers. (CVE-2012-4520)
Orange Tsai discovered that Django incorrectly performed permission checks
when displaying the history view in the admin interface. An administrator
could use this flaw to view the history of any object, regardless of
intended permissions. (CVE-2013-03
Ubuntu
Django vulnerability
vendor_ubuntu·2012-11-15
CVE-2012-4520 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to expose sensitive information over the network.
James Kettle discovered Django did not properly filter the Host HTTP header
when processing certain requests. An attacker could exploit this to
generate and display arbitrary URLs to users.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: Host header poisoning vulnerability
vendor_redhat·2012-10-17·CVSS 6.4
CVE-2012-4520 [MEDIUM] Django: Host header poisoning vulnerability
Django: Host header poisoning vulnerability
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Package: Django (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2012-4520: python-django - The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1...
vendor_debian·2012·CVSS 6.4
CVE-2012-4520 [MEDIUM] CVE-2012-4520: python-django - The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1...
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Scope: local
bookworm: resolved (fixed in 1.4.2-1)
bullseye: resolved (fixed in 1.4.2-1)
forky: resolved (fixed in 1.4.2-1)
sid: resolved (fixed in 1.4.2-1)
trixie: resolved (fixed in 1.4.2-1)
Red Hat
libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
vendor_redhat·2009-09-16·CVSS 5.0
CVE-2013-4520 [MEDIUM] libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.
Statement: Not vulnerable. This issue was corrected in Red Hat Enterprise Linux 5 via RHSA-2012:1265. It did not affect Red Hat Enterprise Linux 6.
Package: libxslt (Red Hat Enterprise Linux 4) - Will not fix
Package: libxslt (Red Hat Enterprise Linux 5) - Not affected
Package: libxslt (Red Hat Enterprise Linux 6) - Not affected
OSV
Django Allows Arbitrary URL Generation
osv·2022-05-17
CVE-2012-4520 [HIGH] Django Allows Arbitrary URL Generation
Django Allows Arbitrary URL Generation
The `django.http.HttpRequest.get_host` function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
GHSA
Django Allows Arbitrary URL Generation
ghsa·2022-05-17
CVE-2012-4520 [HIGH] CWE-20 Django Allows Arbitrary URL Generation
Django Allows Arbitrary URL Generation
The `django.http.HttpRequest.get_host` function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
OSV
CVE-2012-4520: The django
osv·2012-11-18·CVSS 6.4
CVE-2012-4520 [MEDIUM] CVE-2012-4520: The django
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
bugzilla·2013-11-06·CVSS 5.0
CVE-2013-4520 [MEDIUM] CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
CVE-2013-4520 libxslt: DoS when reading unexpected DTD nodes in XSLT in versions prior to 1.1.25
It was reported that the fix for CVE-2012-2825 was incomplete for versions of libxslt prior to 1.1.25. The same flaw is still present in those older versions of libxslt without this additional fix:
https://gitorious.org/libxslt/libxslt/commit/7089a62b8f133b42a2981cf1f920a8b3fe9a8caa
This never affected the versions of libxslt as provided with Red Hat Enterprise Linux 6 or Fedora. It was also corrected in Red Hat Enterprise Linux 5's libxslt as fixed with CVE-2012-2825 (RHSA-2012:1265) as the patch was included in our packages as noted in the changelog.
- CVE-2012-2825 requires an extra patch on 1.1.17
Statement:
Not vulnerable. This issue was corrected in Red Hat Enterprise Linux 5 via R
Bugzilla
Django: Host header poisoning hardening
bugzilla·2013-02-20·CVSS 5.0
[MEDIUM] Django: Host header poisoning hardening
Django: Host header poisoning hardening
James Bennett of Django reports:
Issue: Host header poisoning
Several previous Django security releases have attempted to address persistent issues with the HTTP Host header. Django contains code -- and some functionality shipped with Django itself makes use of that code -- for constructing a fully-qualified URL based on the incoming HTTP request. Depending on configuration, this makes use of the Host header, and so an attacker who can cause a Django application to respond to arbitrary Host headers can cause Django to generate, and display to end users, URLs on arbitrary domains.
Previous iterations of this issue (see CVE-2011-4139 and CVE-2012-4520) have focused on tightening Django's parsing of Host headers, to eliminate various means by which
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability [fedora-all]
bugzilla·2012-10-18·CVSS 6.4
CVE-2012-4520 [MEDIUM] CVE-2012-4520 Django: Host header poisoning vulnerability [fedora-all]
CVE-2012-4520 Django: Host header poisoning vulnerability [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects mu
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability [epel-6]
bugzilla·2012-10-18·CVSS 6.4
CVE-2012-4520 [MEDIUM] CVE-2012-4520 Django: Host header poisoning vulnerability [epel-6]
CVE-2012-4520 Django: Host header poisoning vulnerability [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for Django: s
Bugzilla
CVE-2012-4520 Django: Host header poisoning vulnerability
bugzilla·2012-10-10·CVSS 6.4
CVE-2012-4520 [MEDIUM] CVE-2012-4520 Django: Host header poisoning vulnerability
CVE-2012-4520 Django: Host header poisoning vulnerability
It was reported that Django's built-in parsing of the Host header was incorrectly handling username/password information (in django.http.HttpRequest.get_host()). This could allow a remote attacker to cause parts of Django, in particular the password-reset mechanism, to generate and display arbitrary URLs to end-users.
Acknowledgements:
Red Hat would like to thank the upstream Django project for reporting this vulnerability.
Discussion:
Created attachment 625210
Upstream patch to correct the flaw in Django 1.3.x.
---
Created attachment 625211
Upstream patch to correct the flaw in Django 1.4.x.
---
This has been assigned the name CVE-2012-4520.
---
This is now public https://www.djangoproject.com/weblog/2012/oct/17/security
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.htmlhttp://secunia.com/advisories/51033http://secunia.com/advisories/51314http://securitytracker.com/id?1027708http://ubuntu.com/usn/usn-1632-1http://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634http://www.openwall.com/lists/oss-security/2012/10/30/4http://www.osvdb.org/86493https://bugzilla.redhat.com/show_bug.cgi?id=865164https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657ehttps://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071https://www.djangoproject.com/weblog/2012/oct/17/security/http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.htmlhttp://secunia.com/advisories/51033http://secunia.com/advisories/51314http://securitytracker.com/id?1027708http://ubuntu.com/usn/usn-1632-1http://ubuntu.com/usn/usn-1757-1http://www.debian.org/security/2013/dsa-2634http://www.openwall.com/lists/oss-security/2012/10/30/4http://www.osvdb.org/86493https://bugzilla.redhat.com/show_bug.cgi?id=865164https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657ehttps://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071https://www.djangoproject.com/weblog/2012/oct/17/security/
2012-11-18
Published