CVE-2015-0219Authentication Bypass by Spoofing in Django

CWE-17CWE-290Authentication Bypass by SpoofingCWE-20Improper Input Validation14 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
4.8%
top 10.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedJan 16
Latest updateMay 17

Description

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

PyPIdjangoproject/django1.61.6.10+2
NVDdjangoproject/django1.4.17+13

Patches

Patch: www.ubuntu.comPatch: www.djangoproject.comPatch: www.ubuntu.com

🔴Vulnerability Details

5
GHSA
Django WSGI Header Spoofing Vulnerability2022-05-17
OSV
Django WSGI Header Spoofing Vulnerability2022-05-17
CVEList
CVE-2015-0219: Django before 12015-01-16
OSV
CVE-2015-0219: Django before 12015-01-16
OSV
python-django vulnerabilities2015-01-13

📋Vendor Advisories

3
Ubuntu
Django vulnerabilities2015-01-13
Red Hat
Django: WSGI header spoofing via underscore/dash conflation2015-01-13
Debian
CVE-2015-0219: python-django - Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote ...2015

💬Community

5
Bugzilla
CVE-2015-0219 Django14: Django: WSGI header spoofing via underscore/dash conflation [epel-6]2015-01-14
Bugzilla
CVE-2015-0219 python-django14: Django: WSGI header spoofing via underscore/dash conflation [fedora-20]2015-01-14
Bugzilla
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [fedora-all]2015-01-14
Bugzilla
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [epel-7]2015-01-14
Bugzilla
CVE-2015-0219 Django: WSGI header spoofing via underscore/dash conflation2015-01-07
CVE-2015-0219 — Authentication Bypass by Spoofing | cvebase