CVE-2015-5144
Canonical Ubuntu Linux < 1.4.20 - Improper Input Validation
Title source: ruleDescription
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
References (10)
Core 10
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201510-06
Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3305
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/75665
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2671-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1032820
Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Scores
EPSS
0.0367
EPSS Percentile
88.3%
Details
CWE
CWE-20
Status
published
Products (38)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
15.04
canonical/ubuntu_linux
15.10
debian/debian_linux
7.0
debian/debian_linux
8.0
djangoproject/django
1.5 (3 CPE variants)
djangoproject/django
1.5.1
djangoproject/django
1.5.2
djangoproject/django
1.5.3
... and 28 more
Published
Jul 14, 2015
Tracked Since
Feb 18, 2026