CVE-2019-12781

MEDIUM

Django 1.11-1.11.21, 2.1-2.1.9, 2.2-2.2.2 - Cleartext Transmission of Sensitive Information

Title source: llm
STIX 2.1

Description

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

References (12)

Core 12
Core References
Patch, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/dev/releases/security/
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/07/01/3
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4043-1/
Third Party Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/109018
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190705-0002/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4476
Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Jul/10

Scores

CVSS v3 5.3
EPSS 0.0390
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-319
Status published
Products (7)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
canonical/ubuntu_linux 19.04
debian/debian_linux 9.0
djangoproject/django 1.11 - 1.11.22
pypi/Django 2.1 - 2.1.10PyPI
Published Jul 01, 2019
Tracked Since Feb 18, 2026