Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4140

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2011-4140
Last Modified 26 Jan 2012 11:03:29
Published 19 Oct 2011 06:55:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-4140

Summary

The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code.

Vulnerable Systems

Application

  • Djangoproject Django 0.91

  • Djangoproject Django 0.95

  • Djangoproject Django 0.95.1

  • Djangoproject Django 0.96

  • Djangoproject Django 1.0

  • Djangoproject Django 1.0.1

  • Djangoproject Django 1.0.2

  • Djangoproject Django 1.1

  • Djangoproject Django 1.1.0

  • Djangoproject Django 1.1.2

  • Djangoproject Django 1.1.3

  • Djangoproject Django 1.2

  • Djangoproject Django 1.2.1

  • Djangoproject Django 1.2.2

  • Djangoproject Django 1.2.3

  • Djangoproject Django 1.2.4

  • Djangoproject Django 1.2.5

  • Djangoproject Django 1.2.6

  • Djangoproject Django 1.3


References

CONFIRM - https://www.djangoproject.com/weblog/2011/sep/10/127/

CONFIRM - https://www.djangoproject.com/weblog/2011/sep/09/

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=737366

MLIST - [oss-security] 20110913 Re: CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws

MLIST - [oss-security] 20110911 CVE Request -- Django: v1.3.1, v1.2.7 multiple security flaws

DEBIAN - DSA-2332

SECUNIA - 46614


Last Updated: 27 May 2016 10:56:27