CVE-2011-4138

The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:0.91:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:0.95:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:0.95.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:0.96:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.0:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.1:2:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.3:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.3:alpha1:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:1.3:alpha2:*:*:*:*:*:*

History

21 Nov 2024, 01:31

Type Values Removed Values Added
References () http://openwall.com/lists/oss-security/2011/09/11/1 - Patch () http://openwall.com/lists/oss-security/2011/09/11/1 - Patch
References () http://openwall.com/lists/oss-security/2011/09/13/2 - Patch () http://openwall.com/lists/oss-security/2011/09/13/2 - Patch
References () http://secunia.com/advisories/46614 - () http://secunia.com/advisories/46614 -
References () http://www.debian.org/security/2011/dsa-2332 - () http://www.debian.org/security/2011/dsa-2332 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=737366 - Patch () https://bugzilla.redhat.com/show_bug.cgi?id=737366 - Patch
References () https://hermes.opensuse.org/messages/14700881 - () https://hermes.opensuse.org/messages/14700881 -
References () https://www.djangoproject.com/weblog/2011/sep/09/ - Patch, Vendor Advisory () https://www.djangoproject.com/weblog/2011/sep/09/ - Patch, Vendor Advisory
References () https://www.djangoproject.com/weblog/2011/sep/10/127/ - Patch () https://www.djangoproject.com/weblog/2011/sep/10/127/ - Patch

Information

Published : 2011-10-19 10:55

Updated : 2024-11-21 01:31


NVD link : CVE-2011-4138

Mitre link : CVE-2011-4138

CVE.ORG link : CVE-2011-4138


JSON object : View

Products Affected

djangoproject

  • django
CWE
CWE-20

Improper Input Validation