CVE-2015-5144

Canonical Ubuntu Linux < 1.4.20 - Improper Input Validation

Title source: rule
STIX 2.1

Description

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

References (10)

Core 10
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201510-06
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3305
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/75665
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2671-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032820

Scores

EPSS 0.0367
EPSS Percentile 88.3%

Details

CWE
CWE-20
Status published
Products (38)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
canonical/ubuntu_linux 15.10
debian/debian_linux 7.0
debian/debian_linux 8.0
djangoproject/django 1.5 (3 CPE variants)
djangoproject/django 1.5.1
djangoproject/django 1.5.2
djangoproject/django 1.5.3
... and 28 more
Published Jul 14, 2015
Tracked Since Feb 18, 2026