CVE-2012-4520

EUVD-2012-0006
The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
Affected Products (NVD)
VendorProductVersion
djangoprojectdjango
1.3
djangoprojectdjango
1.3:alpha1
djangoprojectdjango
1.3:beta1
djangoprojectdjango
1.3.1
djangoprojectdjango
1.3.2
djangoprojectdjango
1.3.3
djangoprojectdjango
1.4
djangoprojectdjango
1.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
hardy
ignored
lucid
Fixed 1.1.1-2ubuntu1.6
released
oneiric
Fixed 1.3-2ubuntu1.4
released
precise
Fixed 1.3.1-4ubuntu1.3
released
quantal
Fixed 1.4.1-2ubuntu0.1
released
Common Weakness Enumeration
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
http://secunia.com/advisories/51033
http://secunia.com/advisories/51314
http://securitytracker.com/id?1027708
http://ubuntu.com/usn/usn-1632-1
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
http://www.openwall.com/lists/oss-security/2012/10/30/4
http://www.osvdb.org/86493
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
http://secunia.com/advisories/51033
http://secunia.com/advisories/51314
http://securitytracker.com/id?1027708
http://ubuntu.com/usn/usn-1632-1
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
http://www.openwall.com/lists/oss-security/2012/10/30/4
http://www.osvdb.org/86493
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/