Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2015-5144 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the version of python-django as included with Red Hat Enterprise Linux OpenStack Platform 5 and 6 however there is no known security impact in a supported use-case at this time.
A future update may address this issue.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | Django | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | python-django | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 | python-django | Will not fix |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | python-django | Will not fix |
Vulmon