CVE-2019-12781 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=2.1 <2.1.10 || >=2.2 <2.2.3 || >=1.11 <1.11.22

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.107 pctl0.93042

Details

Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

Metadata

Created: 2019-07-03T20:37:25Z
Modified: 2024-09-18T16:15:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-6c7v-2f49-8h26/GHSA-6c7v-2f49-8h26.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-6c7v-2f49-8h26
Finding: F332
Auto approve: 1