PT-2011-4858 · Django · Django

Jan Lieskovsky

·

Publicado

2011-10-19

·

Atualizado

2018-07-23

·

CVE-2011-4140

CVSS v4.0

8.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Django versions 1.2.0 through 1.2.7 Django versions 1.3.0 through 1.3.1
Description The issue concerns the CSRF protection mechanism, which does not properly handle web-server configurations that support arbitrary HTTP Host headers. This allows remote attackers to trigger unauthenticated forged requests through vectors involving a DNS CNAME record and a web page containing JavaScript code.
Recommendations For Django versions 1.2.0 through 1.2.7, update to a version that properly handles web-server configurations supporting arbitrary HTTP Host headers. For Django versions 1.3.0 through 1.3.1, update to a version that properly handles web-server configurations supporting arbitrary HTTP Host headers.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2011-4140
DSA-2332-1
GHSA-H95J-H2RV-QRG4
PYSEC-2011-5

Produtos afetados

Django