CVE-2019-12781

Description

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

How to fix CVE-2019-12781

To remediate CVE-2019-12781, upgrade the affected package to a fixed version below.

• —upgrade to 1.11.22-r0 or later
• —upgrade to 1.11.22-r0 or later
• —upgrade to 1:1.11.22-1 or later
• —upgrade to 1.7.11-1+deb8u6 or later
• —upgrade to 2.1.10 or later
• —upgrade to 2.1.10 or later

Is CVE-2019-12781 being exploited?

Low — EPSS is 4.2%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 1.11.22-r0
• from 0, < 1.11.22-r0
• from 0, < 1:1.11.22-1
• from 0, < 1.7.11-1+deb8u6
• >= 2.1, < 2.1.10
• >= 2.1, < 2.1.10, >= 2.2, < 2.2.3, >= 1.11, < 1.11.22

CVSS scores

References (23)

• ADVISORYgithub.com/advisories/GHSA-6c7v-2f49-8h26
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-12781
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-12781
• ADVISORYsecurity.netapp.com/advisory/ntap-20190705-0002/
• ADVISORY