CVE-2012-4520

Django 1.3-1.3.4 and 1.4-1.4.2 - Arbitrary URL Generation via Host Header

Title source: llm

Description

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

References (17)

Core 17

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1027708

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/86493

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/51314

Issue Tracking x_refsource_misc

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145

Various Sources vendor-advisory x_refsource_ubuntu

http://ubuntu.com/usn/usn-1757-1

Patch, Vendor Advisory x_refsource_confirm

https://www.djangoproject.com/weblog/2012/oct/17/security/

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/51033

Issue Tracking x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=865164

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html

Various Sources vendor-advisory x_refsource_ubuntu

http://ubuntu.com/usn/usn-1632-1

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/10/30/4

Patch x_refsource_confirm

https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071

View Patch ZIP pw:eip

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html

Patch x_refsource_confirm

https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2013/dsa-2634

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html

Patch x_refsource_confirm

https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e

View Patch ZIP pw:eip

Scores

EPSS 0.0364

EPSS Percentile 88.1%

Details

CWE

CWE-20

Status published

Products (7)

djangoproject/django 1.3 (3 CPE variants)

djangoproject/django 1.3.1

djangoproject/django 1.3.2

djangoproject/django 1.3.3

djangoproject/django 1.4

djangoproject/django 1.4.1

pypi/Django 1.3 - 1.3.4PyPI

Published Nov 18, 2012

Tracked Since Feb 18, 2026