CVE-2015-5144
published 2015-07-14CVE-2015-5144: Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
3.67%
88.3th percentile
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1.7.9-1 (bookworm) | python-django 1.7.9-1 (bookworm) |
| djangoproject | django | <= 1.4.20 | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Vulnerable to HTTP Response Splitting Attack
osv·2022-05-17
CVE-2015-5144 [HIGH] Django Vulnerable to HTTP Response Splitting Attack
Django Vulnerable to HTTP Response Splitting Attack
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
GHSA
Django Vulnerable to HTTP Response Splitting Attack
ghsa·2022-05-17
CVE-2015-5144 [HIGH] CWE-20 Django Vulnerable to HTTP Response Splitting Attack
Django Vulnerable to HTTP Response Splitting Attack
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
OSV
CVE-2015-5144: Django before 1
osv·2015-07-14·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144: Django before 1
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
OSV
python-django vulnerabilities
osv·2015-07-09·CVSS 7.8
CVE-2015-5143 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled
session records. A remote attacker could use this issue to cause a denial
of service. (CVE-2015-5143)
Sjoerd Job Postmus discovered that DJango incorrectly handled newline
characters when performing validation. A remote attacker could use this
issue to perform header injection attacks. (CVE-2015-5144)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2015-07-09·CVSS 7.8
CVE-2015-5143 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Eric Peterson and Lin Hua Cheng discovered that Django incorrectly handled
session records. A remote attacker could use this issue to cause a denial
of service. (CVE-2015-5143)
Sjoerd Job Postmus discovered that DJango incorrectly handled newline
characters when performing validation. A remote attacker could use this
issue to perform header injection attacks. (CVE-2015-5144)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: possible header injection due to validators accepting newlines in input
vendor_redhat·2015-07-08·CVSS 4.3
CVE-2015-5144 [MEDIUM] CWE-185 Django: possible header injection due to validators accepting newlines in input
Django: possible header injection due to validators accepting newlines in input
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Statement: This issue affects the version of python-django as included with Red Hat Enterprise Linux OpenStack Platform 5 and 6 however there is no known security impact in a supported use-case at this time.
A future update may address this issue.
Package: python-django (Red Hat Enterprise Linux Open
Debian
CVE-2015-5144: python-django - Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before ...
vendor_debian·2015·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144: python-django - Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before ...
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Scope: local
bookworm: resolved (fixed in 1.7.9-1)
bullseye: resolved (fixed in 1.7.9-1)
forky: resolved (fixed in 1.7.9-1)
sid: resolved (fixed in 1.7.9-1)
trixie: resolved (fixed in 1.7.9-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [fedora-all]
bugzilla·2015-07-14·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [fedora-all]
CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
Bugzilla
CVE-2015-5144 Django14: Django: possible header injection due to validators accepting newlines in input [epel-6]
bugzilla·2015-07-14·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144 Django14: Django: possible header injection due to validators accepting newlines in input [epel-6]
CVE-2015-5144 Django14: Django: possible header injection due to validators accepting newlines in input [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking
Bugzilla
CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [epel-7]
bugzilla·2015-07-14·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [epel-7]
CVE-2015-5144 python-django: Django: possible header injection due to validators accepting newlines in input [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 trac
Bugzilla
CVE-2015-5144 Django: possible header injection due to validators accepting newlines in input
bugzilla·2015-07-03·CVSS 4.3
CVE-2015-5144 [MEDIUM] CVE-2015-5144 Django: possible header injection due to validators accepting newlines in input
CVE-2015-5144 Django: possible header injection due to validators accepting newlines in input
The following flaw was found in Django:
Some of Django's built-in validators ('django.core.validators.EmailValidator', most seriously) didn't prohibit newline characters (due to the usage of '$' instead of '\Z' in the regular expressions). If an application uses values with newlines in HTTP response or email headers, it can allow an attacker to perform header injection attacks. Django itself isn't vulnerable because 'django.http.HttpResponse' and the mail sending utilities in 'django.core.mail' prohibit newlines in HTTP and SMTP headers, respectively.
While the validators have been fixed in Django, when creating HTTP responses or email messages in other ways, ensure that those methods prohibit
Bugzilla
CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
bugzilla·2015-02-27·CVSS 7.5
CVE-2009-5144 [HIGH] CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
CVE-2009-5144 CVE-2015-2091 mod_gnutls: GnuTLSClientVerify require is ignored in directory and server context
It was reported that under certain conditions mod_gnutls ignores "GnuTLSClientVerify require" when specified in directory [1] and server [2] context.
Suggested commit that fixes [2] is:
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2
Patch for [1] is attaced in the corresponding bugreport.
[1]: http://issues.outoforder.cc/view.php?id=93
[2]: https://bugs.debian.org/578663
Discussion:
Created mod_gnutls tracking bugs for this issue:
Affects: fedora-all [bug 1197128]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to th
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00046.htmlhttp://www.debian.org/security/2015/dsa-3305http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75665http://www.securitytracker.com/id/1032820http://www.ubuntu.com/usn/USN-2671-1https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00046.htmlhttp://www.debian.org/security/2015/dsa-3305http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlhttp://www.securityfocus.com/bid/75665http://www.securitytracker.com/id/1032820http://www.ubuntu.com/usn/USN-2671-1https://security.gentoo.org/glsa/201510-06https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
2015-07-14
Published