Man-in-the-Middle (MitM) Affecting django package, versions [1.11.0,1.11.22) [2.1.0,2.1.10) [2.2.0,2.2.3)


0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.62% (79th percentile)
Expand this section
NVD
5.3 medium
Expand this section
Red Hat
4.8 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DJANGO-451300
  • published 1 Jul 2019
  • disclosed 1 Jul 2019
  • credit Gavin Wahl

How to fix?

Upgrade Django to version 1.11.22, 2.1.10, 2.2.3 or higher.

Overview

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. As such, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.