CVE-2012-4520

Published: Nov 18, 2012Modified: Apr 29, 2026

6.4

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability: 10.0 / Impact: 4.9

Source: NVD

Description

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.

Affected (8)

Products: Djangoproject: Django

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Djangoproject Django	Version 1.3.1
Djangoproject Django	Version 1.3.2
Djangoproject Django	Version 1.3.3
Djangoproject Django	Version 1.3
Djangoproject Django	Version 1.3 alpha1
Djangoproject Django	Version 1.3 beta1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Djangoproject Django	Version 1.4.1
Djangoproject Django	Version 1.4

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (34)

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html

Source: secalert@redhat.com

http://secunia.com/advisories/51033

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/51314

Source: secalert@redhat.com

Vendor Advisory

http://securitytracker.com/id?1027708

Source: secalert@redhat.com

http://ubuntu.com/usn/usn-1632-1

Source: secalert@redhat.com

http://ubuntu.com/usn/usn-1757-1

Source: secalert@redhat.com

http://www.debian.org/security/2013/dsa-2634

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2012/10/30/4

Source: secalert@redhat.com

http://www.osvdb.org/86493

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=865164

Source: secalert@redhat.com

https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3

Source: secalert@redhat.com

https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e

Source: secalert@redhat.com

https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071

Source: secalert@redhat.com

https://www.djangoproject.com/weblog/2012/oct/17/security/

Source: secalert@redhat.com

PatchVendor Advisory

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/51033

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/51314

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://securitytracker.com/id?1027708

Source: af854a3a-2127-422b-91ae-364da2661108

http://ubuntu.com/usn/usn-1632-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://ubuntu.com/usn/usn-1757-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2634

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2012/10/30/4

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.osvdb.org/86493

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=865164

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.djangoproject.com/weblog/2012/oct/17/security/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.