Impact: Moderate Public Date: 2019-07-01 CWE: (CWE-358|CWE-444) Bugzilla: 1724497: CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-12781 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | python-django | Under investigation |
| Red Hat OpenStack Platform Operational Tools 9 | python-django | Not affected |
| Red Hat OpenStack Platform 9.0 | python-django | Not affected |
| Red Hat OpenStack Platform 14.0 (Rocky) | python-django | Under investigation |
| Red Hat OpenStack Platform 13.0 (Queens) | python-django | Under investigation |
| Red Hat OpenStack Platform 10 | python-django | Not affected |
| Red Hat Gluster Storage 3 | python-django | Affected |
| Red Hat Ceph Storage 3 | python-django | Not affected |
| Red Hat Ceph Storage 2 | Django | Not affected |
| Red Hat Ceph Storage 2 | python-django | Not affected |
Vulmon