GHSA-6c7v-2f49-8h26

Source

https://github.com/advisories/GHSA-6c7v-2f49-8h26

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-6c7v-2f49-8h26/GHSA-6c7v-2f49-8h26.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6c7v-2f49-8h26

Aliases

Published

2019-07-03T20:37:25Z

Modified

2024-09-18T16:26:02.265514Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS

Details

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECUREPROXYSSLHEADER and SECURESSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1

Fixed

2.1.10

Affected versions

2.*

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.7

2.1.8

2.1.9

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2

Fixed

2.2.3

Affected versions

2.*

2.2

2.2.1

2.2.2

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.11

Fixed

1.11.22

Affected versions

1.*

1.11

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10

1.11.11

1.11.12

1.11.13

1.11.14

1.11.15

1.11.16

1.11.17

1.11.18

1.11.20

1.11.21