CVE-2012-4520

The django.http.HttpRequest.get_host function in Django 1.3.x before 1.3.4 and 1.4.x before 1.4.2 allows remote attackers to generate and display arbitrary URLs via crafted username and password Host header values.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
djangoprojectdjango
1.3
djangoprojectdjango
1.3:alpha1
djangoprojectdjango
1.3:beta1
djangoprojectdjango
1.3.1
djangoprojectdjango
1.3.2
djangoprojectdjango
1.3.3
djangoprojectdjango
1.4
djangoprojectdjango
1.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye (security)
2:2.2.28-1~deb11u2
fixed
bullseye
2:2.2.28-1~deb11u2
fixed
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
quantal
Fixed 1.4.1-2ubuntu0.1
released
precise
Fixed 1.3.1-4ubuntu1.3
released
oneiric
Fixed 1.3-2ubuntu1.4
released
lucid
Fixed 1.1.1-2ubuntu1.6
released
hardy
ignored
Common Weakness Enumeration
References
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
http://secunia.com/advisories/51033
http://secunia.com/advisories/51314
http://securitytracker.com/id?1027708
http://ubuntu.com/usn/usn-1632-1
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
http://www.openwall.com/lists/oss-security/2012/10/30/4
http://www.osvdb.org/86493
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691145
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090666.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090904.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090970.html
http://secunia.com/advisories/51033
http://secunia.com/advisories/51314
http://securitytracker.com/id?1027708
http://ubuntu.com/usn/usn-1632-1
http://ubuntu.com/usn/usn-1757-1
http://www.debian.org/security/2013/dsa-2634
http://www.openwall.com/lists/oss-security/2012/10/30/4
http://www.osvdb.org/86493
https://bugzilla.redhat.com/show_bug.cgi?id=865164
https://github.com/django/django/commit/92d3430f12171f16f566c9050c40feefb830a4a3
https://github.com/django/django/commit/9305c0e12d43c4df999c3301a1f0c742264a657e
https://github.com/django/django/commit/b45c377f8f488955e0c7069cad3f3dd21910b071
https://www.djangoproject.com/weblog/2012/oct/17/security/