CVE Vulnerabilities

CVE-2015-0219

Published: Jan 16, 2015 | Modified: Dec 22, 2016
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.

Affected Software

Name Vendor Start Version End Version
Django Djangoproject * 1.4.17
Django Djangoproject 1.6.7 1.6.7
Django Djangoproject 1.6.5 1.6.5
Django Djangoproject 1.6.8 1.6.8
Django Djangoproject 1.6.6 1.6.6
Django Djangoproject 1.7.2 1.7.2
Django Djangoproject 1.6.3 1.6.3
Django Djangoproject 1.6 1.6
Django Djangoproject 1.6.4 1.6.4
Django Djangoproject 1.6.1 1.6.1
Django Djangoproject 1.6.2 1.6.2
Django Djangoproject 1.7 1.7
Django Djangoproject 1.6.9 1.6.9
Django Djangoproject 1.7.1 1.7.1

References