pysec-2012-7
Vulnerability from pysec
Published
2012-11-18 23:55
Modified
2021-07-15 02:22
Details
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django",
"purl": "pkg:pypi/django"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9305c0e12d43c4df999c3301a1f0c742264a657e"
},
{
"fixed": "b45c377f8f488955e0c7069cad3f3dd21910b071"
},
{
"fixed": "92d3430f12171f16f566c9050c40feefb830a4a3"
}
],
"repo": "https://github.com/django/django",
"type": "GIT"
},
{
"events": [
{
"introduced": "1.3"
},
{
"fixed": "1.3.4"
},
{
"introduced": "1.4"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3",
"1.3.1",
"1.3.2",
"1.3.3",
"1.4",
"1.4.1"
]
}
],
"aliases": [
"CVE-2012-4520"
],
"details": "The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.",
"id": "PYSEC-2012-7",
"modified": "2021-07-15T02:22:08.562601Z",
"published": "2012-11-18T23:55:00Z",
"references": [
{
"type": "FIX",
"url": "https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/86493"
},
{
"type": "ARTICLE",
"url": "https://www.djangoproject.com/weblog/2012/oct/17/security/"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1027708"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html"
},
{
"type": "ADVISORY",
"url": "http://secunia.com/advisories/51314"
},
{
"type": "ADVISORY",
"url": "http://secunia.com/advisories/51033"
},
{
"type": "FIX",
"url": "https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/10/30/4"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=865164"
},
{
"type": "FIX",
"url": "https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1632-1"
},
{
"type": "ADVISORY",
"url": "http://www.debian.org/security/2013/dsa-2634"
},
{
"type": "WEB",
"url": "http://ubuntu.com/usn/usn-1757-1"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.