Vulnerability Description
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
CVSS Score
6.4
MEDIUM
AV:N/AC:L/Au:N/C:P/I:P/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Djangoproject | Django | 1.3 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.ht
- http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.ht
- http://secunia.com/advisories/51033Vendor Advisory
- http://secunia.com/advisories/51314Vendor Advisory
- http://securitytracker.com/id?1027708
- http://ubuntu.com/usn/usn-1632-1
- http://ubuntu.com/usn/usn-1757-1
- http://www.debian.org/security/2013/dsa-2634
- http://www.openwall.com/lists/oss-security/2012/10/30/4
- http://www.osvdb.org/86493
- https://bugzilla.redhat.com/show_bug.cgi?id=865164
- https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
- https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
FAQ
What is CVE-2012-4520?
CVE-2012-4520 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host ...
How severe is CVE-2012-4520?
CVE-2012-4520 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-4520?
Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django.