CVE-2015-0219

MEDIUM severity · CVSS 5 · CWE-17

5CVSS MEDIUM

Summary

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impact—

Availability impactNone

Exploit probability (EPSS)5%

AV:N/AC:L/Au:N/C:N/I:P/A:N

Affected products we track (1)

Django

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://advisories.mageia.org/MGASA-2015-0026.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148485.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148608.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148696.html
http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html
http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html
http://secunia.com/advisories/62285
http://secunia.com/advisories/62309