CVE-2015-5144
Django Vulnerable to HTTP Response Splitting Attack
7.5
HIGH
CVSS 3.1
EPSS 1.5%
Description
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
How to fix CVE-2015-5144
To remediate CVE-2015-5144, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.9-1 or later
- —upgrade to 1.4.21 or later
- —upgrade to 1.4.21 or later
Is CVE-2015-5144 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 1.7.9-1
- from 0, < 1.4.21
- from 0, < 1.4.21, >= 1.5, < 1.7.9, >= 1.8, < 1.8.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |