PT-2019-2628 · Django Software Foundation+3 · Django+3

Gavin Wahl

·

Publicado

2019-07-01

·

Atualizado

2026-01-03

·

CVE-2019-12781

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Django versions 1.11 before 1.11.22 Django versions 2.1 before 2.1.10 Django versions 2.2 before 2.2.3
Description An issue in Django causes incorrect behavior of django.http.HttpRequest.scheme when a client uses HTTP, but the proxy connects to Django via HTTPS, and the SECURE PROXY SSL HEADER and SECURE SSL REDIRECT settings are used. This issue is related to errors in processing HTTP requests that are determined as HTTPS requests. The exploitation of this issue may allow a remote attacker to access protected information.
Recommendations For Django version 1.11 before 1.11.22, update to version 1.11.22 or later. For Django version 2.1 before 2.1.10, update to version 2.1.10 or later. For Django version 2.2 before 2.2.3, update to version 2.2.3 or later.

Correção

RCE

Cleartext Transmission of Sensitive Information

HTTP Request/Response Smuggling

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20CWE-319CWE-444

Identificadores relacionados

ALT-PU-2019-2367
BDU:2019-02513
CVE-2019-12781
DLA-1842-1
DSA-4476-1
GHSA-6C7V-2F49-8H26
OPENSUSE-SU-2019:1839-1
OPENSUSE-SU-2019:1872-1
OPENSUSE-SU-2019_1839-1
OPENSUSE-SU-2024:11205-1
OPENSUSE-SU-2024:13887-1
OPENSUSE-SU-2024:14208-1
OPENSUSE-SU-2026:10005-1
PYSEC-2019-10
RHSA-2020:1324
RHSA-2020:4366
RHSA-2020:4390
SUSE-SU-2019:2257-1
SUSE-SU-2019:2335-1
SUSE-SU-2019:2379-1
SUSE-SU-2019:3127-1
USN-4043-1

Produtos afetados

Alt Linux
Django
Suse
Ubuntu