CVE-2011-4139

EPSS 0.57%
Published 19.10.2011 10:55:04
Last modified 11.04.2025 00:51:21
Source cve@mitre.org
Teams watchlist Login
Open Login

Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request.

Affected products Warnungen 0 Metrics 2 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Djangoproject ≫ Django Version <= 1.2.6

Djangoproject ≫ Django Version0.91

Djangoproject ≫ Django Version0.95

Djangoproject ≫ Django Version0.95.1

Djangoproject ≫ Django Version0.96

Djangoproject ≫ Django Version1.0

Djangoproject ≫ Django Version1.0.1

Djangoproject ≫ Django Version1.0.2

Djangoproject ≫ Django Version1.1

Djangoproject ≫ Django Version1.1.0

Djangoproject ≫ Django Version1.1.2

Djangoproject ≫ Django Version1.1.3

Djangoproject ≫ Django Version1.2

Djangoproject ≫ Django Version1.2.1

Djangoproject ≫ Django Version1.2.1 Update2

Djangoproject ≫ Django Version1.2.2

Djangoproject ≫ Django Version1.2.3

Djangoproject ≫ Django Version1.2.4

Djangoproject ≫ Django Version1.2.5

Djangoproject ≫ Django Version1.3

Djangoproject ≫ Django Version1.3 Updatealpha1

Djangoproject ≫ Django Version1.3 Updatealpha2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.57%	0.659

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://openwall.com/lists/oss-security/2011/09/11/1

Patch

http://openwall.com/lists/oss-security/2011/09/13/2

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=737366

Patch

https://www.djangoproject.com/weblog/2011/sep/09/

Patch

Vendor Advisory

https://www.djangoproject.com/weblog/2011/sep/10/127/

Patch

http://secunia.com/advisories/46614