CVE-2015-5144: Input Validation
First published: Tue Jul 14 2015(Updated: )
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Django | >=1.8a1<1.8.3 | 1.8.3 |
| pip/Django | >=1.5<1.7.9 | 1.7.9 |
| pip/django | <1.4.21 | 1.4.21 |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| Ubuntu | =15.10 | |
| Django | <=1.4.20 | |
| Django | =1.5 | |
| Django | =1.5-alpha | |
| Django | =1.5-beta | |
| Django | =1.5.1 | |
| Django | =1.5.2 | |
| Django | =1.5.3 | |
| Django | =1.5.4 | |
| Django | =1.5.5 | |
| Django | =1.5.6 | |
| Django | =1.5.7 | |
| Django | =1.5.8 | |
| Django | =1.5.9 | |
| Django | =1.5.10 | |
| Django | =1.5.11 | |
| Django | =1.5.12 | |
| Django | =1.6 | |
| Django | =1.6-beta1 | |
| Django | =1.6-beta2 | |
| Django | =1.6-beta3 | |
| Django | =1.6-beta4 | |
| Django | =1.6.1 | |
| Django | =1.6.2 | |
| Django | =1.6.3 | |
| Django | =1.6.4 | |
| Django | =1.6.5 | |
| Django | =1.6.6 | |
| Django | =1.6.7 | |
| Django | =1.6.8 | |
| Django | =1.6.9 | |
| Django | =1.6.10 | |
| Django | =1.7-beta1 | |
| Django | =1.7-beta2 | |
| Django | =1.7-beta3 | |
| Django | =1.7-beta4 | |
| Django | =1.7-rc1 | |
| Django | =1.7-rc2 | |
| Django | =1.7-rc3 | |
| Django | =1.7.1 | |
| Django | =1.7.2 | |
| Django | =1.7.3 | |
| Django | =1.7.4 | |
| Django | =1.7.5 | |
| Django | =1.7.6 | |
| Django | =1.7.7 | |
| Django | =1.7.8 | |
| Django | =1.7.9 | |
| Django | =1.8-beta1 | |
| Django | =1.8.0 | |
| Django | =1.8.1 | |
| Django | =1.8.2 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75665
- http://www.securitytracker.com/id/1032820
- http://www.ubuntu.com/usn/USN-2671-1
- https://security.gentoo.org/glsa/201510-06
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2015-5144
- https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a
- https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0
- https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649
- https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.21.txt#L30-L54
- https://web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820
- https://web.archive.org/web/20200228050526/http://www.securityfocus.com/bid/75665
- https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases
- https://github.com/advisories/GHSA-q5qw-4364-5hhm (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-10.yaml
Frequently Asked Questions
What is the severity of CVE-2015-5144?
CVE-2015-5144 has been classified as a moderate severity vulnerability.
How do I fix CVE-2015-5144?
To fix CVE-2015-5144, upgrade Django to version 1.8.3 or above, 1.7.9 or above, or 1.4.21.
What types of attacks are possible due to CVE-2015-5144?
CVE-2015-5144 allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks.
Which versions of Django are affected by CVE-2015-5144?
Django versions before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 are affected.
Is there a workaround for CVE-2015-5144 if I cannot upgrade Django?
No specific workaround is available for CVE-2015-5144; upgrading to a patched version is recommended.
- agent/type
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q5qw-4364-5hhm
- alias/CVE-2015-5144
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/pip
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- version/ubuntu/15.10
- vendor/djangoproject
- canonical/django
- version/django/1.4.20
- version/django/1.5
- version/django/1.5-alpha
- version/django/1.5-beta
- version/django/1.5.1
- version/django/1.5.2
- version/django/1.5.3
- version/django/1.5.4
- version/django/1.5.5
- version/django/1.5.6
- version/django/1.5.7
- version/django/1.5.8
- version/django/1.5.9
- version/django/1.5.10
- version/django/1.5.11
- version/django/1.5.12
- version/django/1.6
- version/django/1.6-beta1
- version/django/1.6-beta2
- version/django/1.6-beta3
- version/django/1.6-beta4
- version/django/1.6.1
- version/django/1.6.2
- version/django/1.6.3
- version/django/1.6.4
- version/django/1.6.5
- version/django/1.6.6
- version/django/1.6.7
- version/django/1.6.8
- version/django/1.6.9
- version/django/1.6.10
- version/django/1.7-beta1
- version/django/1.7-beta2
- version/django/1.7-beta3
- version/django/1.7-beta4
- version/django/1.7-rc1
- version/django/1.7-rc2
- version/django/1.7-rc3
- version/django/1.7.1
- version/django/1.7.2
- version/django/1.7.3
- version/django/1.7.4
- version/django/1.7.5
- version/django/1.7.6
- version/django/1.7.7
- version/django/1.7.8
- version/django/1.7.9
- version/django/1.8-beta1
- version/django/1.8.0
- version/django/1.8.1
- version/django/1.8.2
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3