Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2011-4140
HistoryOct 19, 2011 - 12:00 a.m.

CVE-2011-4140

2011-10-1900:00:00
ubuntu.com
ubuntu.com
1

7.4 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.4%

JSON

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through
1.3.1 does not properly handle web-server configurations supporting
arbitrary HTTP Host headers, which allows remote attackers to trigger
unauthenticated forged requests via vectors involving a DNS CNAME record
and a web page containing JavaScript code.

Notes

Author Note
jdstrand Upstream does not consider this a bug in Django but instead advises that web servers be properly configured: "To avoid this potential attack, we recommend that users of Django ensure their web-server configuration always validates incoming HTTP Host headers against the expected host name, disallows requests with no Host header, and that the web server not be configured with a catch-all virtual host which forwards requests to a Django application. in addition to the vulnerabilities python-django disclosed, they also posted 3 advisories. 2 of them did not receive a CVE, but this one did. Upstream is not planning on fixing the issue as it is depenedent on an insecure server configuration, as such there is nothing to be done in Ubuntu.

Related

osv 3
debiancve 1
github 1
gitlab 1
prion 1
cve 1
nessus 2
debian 1
openvas 2
securityvulns 1
osv
osv
PYSEC-2011-5
2011-10-19 10:55:00
Moderate severity vulnerability that affects django
2018-07-23 19:51:19
python-django - several issues
2011-10-29 00:00:00
debiancve
debiancve
CVE-2011-4140
2011-10-19 10:55:00
github
github
Moderate severity vulnerability that affects django
2018-07-23 19:51:19
gitlab
gitlab
Cross-Site Request Forgery
2018-07-23 00:00:00
prion
prion
Cross site request forgery (csrf)
2011-10-19 10:55:00
cve
cve
CVE-2011-4140
2011-10-19 10:55:00
nessus
nessus
openSUSE Security Update : python-django (openSUSE-SU-2012:0653-1)
2014-06-13 00:00:00
Debian DSA-2332-1 : python-django - several issues
2011-10-31 00:00:00
debian
debian
[SECURITY] [DSA 2332-1] python-django security update
2011-10-29 05:50:53
openvas
openvas
Debian: Security Advisory (DSA-2332-1)
2012-02-11 00:00:00
Debian Security Advisory DSA 2332-1 (python-django)
2012-02-11 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2011-11-06 00:00:00

7.4 High

AI Score

Confidence

Low

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

72.4%

JSON
Related for UB:CVE-2011-4140
osv3debiancve1github1gitlab1prion1cve1nessus2debian1openvas2securityvulns1