CVE-2015-0219
published 2015-01-16CVE-2015-0219: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
6.78%
93.2th percentile
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 1.7.1-1.1 (bookworm) | python-django 1.7.1-1.1 (bookworm) |
| djangoproject | django | <= 1.4.17 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.4.18 | 1.4.18 |
| djangoproject | django | >= 1.6 < 1.6.10 | 1.6.10 |
| djangoproject | django | >= 1.7 < 1.7.3 | 1.7.3 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Django WSGI Header Spoofing Vulnerability
ghsa·2022-05-17
CVE-2015-0219 [MEDIUM] CWE-290 Django WSGI Header Spoofing Vulnerability
Django WSGI Header Spoofing Vulnerability
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an `_` (underscore) character instead of a `-` (dash) character in an HTTP header, as demonstrated by an `X-Auth_User` header.
OSV
Django WSGI Header Spoofing Vulnerability
osv·2022-05-17
CVE-2015-0219 [MEDIUM] Django WSGI Header Spoofing Vulnerability
Django WSGI Header Spoofing Vulnerability
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an `_` (underscore) character instead of a `-` (dash) character in an HTTP header, as demonstrated by an `X-Auth_User` header.
OSV
CVE-2015-0219: Django before 1
osv·2015-01-16·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219: Django before 1
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
OSV
python-django vulnerabilities
osv·2015-01-13·CVSS 5.0
CVE-2015-0219 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service. (CVE-2015-0221)
Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this issue
to
Ubuntu
Django regression
vendor_ubuntu·2015-02-04·CVSS 5.0
CVE-2015-0221 [MEDIUM] Django regression
Title: Django regression
Summary: USN-2469-1 caused a regression in Django.
USN-2469-1 fixed vulnerabilities in Django. The security fix for
CVE-2015-0221 introduced a regression on Ubuntu 10.04 LTS and Ubuntu 12.04
LTS when serving static content through GZipMiddleware. This update fixes
the problem.
We apologize for the inconvenience.
Original advisory details:
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorre
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-01-13·CVSS 5.0
CVE-2015-0219 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)
Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)
Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service. (CVE-2015-0221)
Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceFi
Red Hat
Django: WSGI header spoofing via underscore/dash conflation
vendor_redhat·2015-01-13·CVSS 5.0
CVE-2015-0219 [MEDIUM] CWE-20 Django: WSGI header spoofing via underscore/dash conflation
Django: WSGI header spoofing via underscore/dash conflation
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Not affected
Package: Django14 (Red Hat OpenStack Platform 4) - Not affected
Package: Django (Red Hat Subscription Asset Manager) - Not affected
Debian
CVE-2015-0219: python-django - Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote ...
vendor_debian·2015·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219: python-django - Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote ...
Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Scope: local
bookworm: resolved (fixed in 1.7.1-1.1)
bullseye: resolved (fixed in 1.7.1-1.1)
forky: resolved (fixed in 1.7.1-1.1)
sid: resolved (fixed in 1.7.1-1.1)
trixie: resolved (fixed in 1.7.1-1.1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-0219 Django14: Django: WSGI header spoofing via underscore/dash conflation [epel-6]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219 Django14: Django: WSGI header spoofing via underscore/dash conflation [epel-6]
CVE-2015-0219 Django14: Django: WSGI header spoofing via underscore/dash conflation [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for Django14: se
Bugzilla
CVE-2015-0219 python-django14: Django: WSGI header spoofing via underscore/dash conflation [fedora-20]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219 python-django14: Django: WSGI header spoofing via underscore/dash conflation [fedora-20]
CVE-2015-0219 python-django14: Django: WSGI header spoofing via underscore/dash conflation [fedora-20]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
fedora-20 tracking bug for pyth
Bugzilla
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [fedora-all]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [fedora-all]
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [epel-7]
bugzilla·2015-01-14·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [epel-7]
CVE-2015-0219 python-django: Django: WSGI header spoofing via underscore/dash conflation [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for python-
Bugzilla
CVE-2015-0219 Django: WSGI header spoofing via underscore/dash conflation
bugzilla·2015-01-07·CVSS 5.0
CVE-2015-0219 [MEDIUM] CVE-2015-0219 Django: WSGI header spoofing via underscore/dash conflation
CVE-2015-0219 Django: WSGI header spoofing via underscore/dash conflation
The Django project reports the following issue:
"""
When HTTP headers are placed into the WSGI environ, they are normalized by converting to uppercase, converting all dashes to underscores, and prepending `HTTP_`. For instance, a header ``X-Auth-User`` would become ``HTTP_X_AUTH_USER`` in the WSGI environ (and thus also in Django's ``request.META`` dictionary).
Unfortunately, this means that the WSGI environ cannot distinguish between headers containing dashes and headers containing underscores: ``X-Auth-User`` and ``X-Auth_User`` both become ``HTTP_X_AUTH_USER``. This means that if a header is used in a security-sensitive way (for instance, passing authentication information along from a front-end proxy), even if
http://advisories.mageia.org/MGASA-2015-0026.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://secunia.com/advisories/62285http://secunia.com/advisories/62309http://secunia.com/advisories/62718http://www.mandriva.com/security/advisories?name=MDVSA-2015:036http://www.mandriva.com/security/advisories?name=MDVSA-2015:109http://www.ubuntu.com/usn/USN-2469-1https://www.djangoproject.com/weblog/2015/jan/13/security/http://advisories.mageia.org/MGASA-2015-0026.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00001.htmlhttp://lists.opensuse.org/opensuse-updates/2015-09/msg00035.htmlhttp://secunia.com/advisories/62285http://secunia.com/advisories/62309http://secunia.com/advisories/62718http://www.mandriva.com/security/advisories?name=MDVSA-2015:036http://www.mandriva.com/security/advisories?name=MDVSA-2015:109http://www.ubuntu.com/usn/USN-2469-1https://www.djangoproject.com/weblog/2015/jan/13/security/
2015-01-16
Published