CVE-2015-5144
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
14/07/2015
Last modified:
12/04/2025
Description
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Impact
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* | 1.4.20 (including) | |
| cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75665
- http://www.securitytracker.com/id/1032820
- http://www.ubuntu.com/usn/USN-2671-1
- https://security.gentoo.org/glsa/201510-06
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75665
- http://www.securitytracker.com/id/1032820
- http://www.ubuntu.com/usn/USN-2671-1
- https://security.gentoo.org/glsa/201510-06
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases/