Man-in-the-Middle (MitM) Affecting django package, versions [1.11.0,1.11.22) [2.1.0,2.1.10) [2.2.0,2.2.3)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-451300
- published 1 Jul 2019
- disclosed 1 Jul 2019
- credit Gavin Wahl
Introduced: 1 Jul 2019
CVE-2019-12781 Open this link in a new tabHow to fix?
Upgrade Django
to version 1.11.22, 2.1.10, 2.2.3 or higher.
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER
and SECURE_SSL_REDIRECT
settings are used, and the proxy connects to Django via HTTPS. As such, django.http.HttpRequest.scheme
has incorrect behavior when a client uses HTTP. This entails incorrect results for is_secure()
, and build_absolute_uri()
, and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT
.