Vulnerabilities > CVE-2019-12781 - Cleartext Transmission of Sensitive Information vulnerability in multiple products

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
djangoproject
canonical
debian
CWE-319
nessus

Summary

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Session Sidejacking
    Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Harvesting Usernames or UserIDs via Application API Event Monitoring
    An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the attacker creating an event within the sub-application. Assume the attacker hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The attacker would then be able to spam those users within the application using an automated script.
  • Signature Spoofing by Mixing Signed and Unsigned Content
    An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
  • Passively Sniff and Capture Application Code Bound for Authorized Client
    Attackers can capture application code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4043-1.NASL
    descriptionIt was discovered that Django incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 18.10 and Ubuntu 19.04. (CVE-2019-12308) Gavin Wahl discovered that Django incorrectly handled certain requests. An attacker could possibly use this issue to bypass credentials and access administrator interface. (CVE-2019-12781). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id126445
    published2019-07-02
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126445
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : python-django vulnerabilities (USN-4043-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-D9AA58D863.NASL
    descriptionupdate to 2.1.10, security fix for CVE-2019-12781 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id126664
    published2019-07-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126664
    titleFedora 30 : python-django (2019-d9aa58d863)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4476.NASL
    descriptionThree security issues were found in Django, a Python web development framework, which could result in denial of service, incomplete sanitisation of clickable links or missing redirects of HTTP requests to HTTPS.
    last seen2020-06-01
    modified2020-06-02
    plugin id126514
    published2019-07-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126514
    titleDebian DSA-4476-1 : python-django - security update
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B805D7B49C0C11E997F0000C29E96DB4.NASL
    descriptionDjango security releases issued : When deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme would incorrectly detect client requests made via HTTP as using HTTPS. This entails incorrect results for is_secure(), and build_absolute_uri(), and that HTTP requests would not be redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.
    last seen2020-06-01
    modified2020-06-02
    plugin id126414
    published2019-07-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126414
    titleFreeBSD : Django -- Incorrect HTTP detection with reverse-proxy connecting via HTTPS (b805d7b4-9c0c-11e9-97f0-000c29e96db4)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1839.NASL
    descriptionThis update for python-Django fixes the following issues : Security issues fixed : 	 - CVE-2019-11358: Fixed prototype pollution. - CVE-2019-12308: Fixed XSS in AdminURLFieldWidget (bsc#1136468) - CVE-2019-12781: Fixed incorrect HTTP detection with reverse-proxy connecting via HTTPS (bsc#1139945). - CVE-2019-14232: Fixed denial-of-service possibility in ``django.utils.text.Truncator`` (bsc#1142880). - CVE-2019-14233: Fixed denial-of-service possibility in ``strip_tags()`` (bsc#1142882). - CVE-2019-14234: Fixed SQL injection possibility in key and index lookups for ``JSONField``/``HStoreField`` (bsc#1142883). - CVE-2019-14235: Fixed potential memory exhaustion in ``django.utils.encoding.uri_to_iri()`` (bsc#1142885). Non-security issues fixed : - Fixed a migration crash on PostgreSQL when adding a check constraint with a contains lookup on DateRangeField or DateTimeRangeField, if the right hand side of an expression is the same type.
    last seen2020-06-01
    modified2020-06-02
    plugin id127742
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127742
    titleopenSUSE Security Update : python-Django (openSUSE-2019-1839)

Redhat

rpms
  • python-django-bash-completion-0:2.1.11-1.el8ost
  • python3-django-0:2.1.11-1.el8ost

References