Vulnerability Description
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 12.04 |
| Djangoproject | Django | <= 1.4.20 |
| Debian | Debian Linux | 7.0 |
| Oracle | Solaris | 11.3 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.h
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
- http://www.securityfocus.com/bid/75665
- http://www.securitytracker.com/id/1032820
- http://www.ubuntu.com/usn/USN-2671-1Third Party Advisory
- https://security.gentoo.org/glsa/201510-06
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases/Vendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.h
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlThird Party Advisory
FAQ
What is CVE-2015-5144?
CVE-2015-5144 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP r...
How severe is CVE-2015-5144?
CVE-2015-5144 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5144?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Djangoproject Django, Debian Debian Linux, Oracle Solaris.