Vulnerability Details : CVE-2012-4520
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
Vulnerability category: Input validation
Products affected by CVE-2012-4520
- cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.4.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4520
0.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4520
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2012-4520
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4520
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
[SECURITY] Fedora 18 Update: python-django-1.4.2-1.fc18
-
https://www.djangoproject.com/weblog/2012/oct/17/security/
Security releases issued | Weblog | DjangoPatch;Vendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
[SECURITY] Fedora 17 Update: Django-1.4.2-1.fc17
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
#691145 - python-django: CVE-2012-4520 - Debian Bug report logs
-
http://www.openwall.com/lists/oss-security/2012/10/30/4
oss-security - Re: CVE Request: Django
-
http://securitytracker.com/id?1027708
Django Host Header Filtering Bug Lets Remote Users Cuase Arbitrary URLs to be Displayed - SecurityTracker
-
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
Fixed a security issue related to password resets · django/django@9305c0e · GitHub
-
http://ubuntu.com/usn/usn-1632-1
USN-1632-1: Django vulnerability | Ubuntu security notices
-
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
Fixed a security issue related to password resets · django/django@92d3430 · GitHub
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
[SECURITY] Fedora 16 Update: Django-1.3.4-1.fc16
-
http://ubuntu.com/usn/usn-1757-1
USN-1757-1: Django vulnerabilities | Ubuntu security notices
-
http://www.debian.org/security/2013/dsa-2634
Debian -- Security Information -- DSA-2634-1 python-django
-
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
Fixed a security issue related to password resets · django/django@b45c377 · GitHub
-
https://bugzilla.redhat.com/show_bug.cgi?id=865164
865164 – (CVE-2012-4520) CVE-2012-4520 Django: Host header poisoning vulnerability
Jump to