CVE-2015-5144: Input Validation
First published: Tue Jul 14 2015(Updated: )
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Django | >=1.8a1<1.8.3 | 1.8.3 |
| pip/Django | >=1.5<1.7.9 | 1.7.9 |
| pip/django | <1.4.21 | 1.4.21 |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| Ubuntu | =15.10 | |
| djangoproject Django | <=1.4.20 | |
| djangoproject Django | =1.5 | |
| djangoproject Django | =1.5-alpha | |
| djangoproject Django | =1.5-beta | |
| djangoproject Django | =1.5.1 | |
| djangoproject Django | =1.5.2 | |
| djangoproject Django | =1.5.3 | |
| djangoproject Django | =1.5.4 | |
| djangoproject Django | =1.5.5 | |
| djangoproject Django | =1.5.6 | |
| djangoproject Django | =1.5.7 | |
| djangoproject Django | =1.5.8 | |
| djangoproject Django | =1.5.9 | |
| djangoproject Django | =1.5.10 | |
| djangoproject Django | =1.5.11 | |
| djangoproject Django | =1.5.12 | |
| djangoproject Django | =1.6 | |
| djangoproject Django | =1.6-beta1 | |
| djangoproject Django | =1.6-beta2 | |
| djangoproject Django | =1.6-beta3 | |
| djangoproject Django | =1.6-beta4 | |
| djangoproject Django | =1.6.1 | |
| djangoproject Django | =1.6.2 | |
| djangoproject Django | =1.6.3 | |
| djangoproject Django | =1.6.4 | |
| djangoproject Django | =1.6.5 | |
| djangoproject Django | =1.6.6 | |
| djangoproject Django | =1.6.7 | |
| djangoproject Django | =1.6.8 | |
| djangoproject Django | =1.6.9 | |
| djangoproject Django | =1.6.10 | |
| djangoproject Django | =1.7-beta1 | |
| djangoproject Django | =1.7-beta2 | |
| djangoproject Django | =1.7-beta3 | |
| djangoproject Django | =1.7-beta4 | |
| djangoproject Django | =1.7-rc1 | |
| djangoproject Django | =1.7-rc2 | |
| djangoproject Django | =1.7-rc3 | |
| djangoproject Django | =1.7.1 | |
| djangoproject Django | =1.7.2 | |
| djangoproject Django | =1.7.3 | |
| djangoproject Django | =1.7.4 | |
| djangoproject Django | =1.7.5 | |
| djangoproject Django | =1.7.6 | |
| djangoproject Django | =1.7.7 | |
| djangoproject Django | =1.7.8 | |
| djangoproject Django | =1.7.9 | |
| djangoproject Django | =1.8-beta1 | |
| djangoproject Django | =1.8.0 | |
| djangoproject Django | =1.8.1 | |
| djangoproject Django | =1.8.2 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| Oracle Solaris SPARC | =11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2015-10/msg00046.html
- http://www.debian.org/security/2015/dsa-3305
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.securityfocus.com/bid/75665
- http://www.securitytracker.com/id/1032820
- http://www.ubuntu.com/usn/USN-2671-1
- https://security.gentoo.org/glsa/201510-06
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2015-5144
- https://github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072a
- https://github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0
- https://github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649
- https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.21.txt#L30-L54
- https://web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820
- https://web.archive.org/web/20200228050526/http://www.securityfocus.com/bid/75665
- https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c
- https://www.djangoproject.com/weblog/2015/jul/08/security-releases
- https://github.com/advisories/GHSA-q5qw-4364-5hhm (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-10.yaml
Frequently Asked Questions
What is the severity of CVE-2015-5144?
CVE-2015-5144 has been classified as a moderate severity vulnerability.
How do I fix CVE-2015-5144?
To fix CVE-2015-5144, upgrade Django to version 1.8.3 or above, 1.7.9 or above, or 1.4.21.
What types of attacks are possible due to CVE-2015-5144?
CVE-2015-5144 allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks.
Which versions of Django are affected by CVE-2015-5144?
Django versions before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 are affected.
Is there a workaround for CVE-2015-5144 if I cannot upgrade Django?
No specific workaround is available for CVE-2015-5144; upgrading to a patched version is recommended.
- agent/type
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-q5qw-4364-5hhm
- alias/CVE-2015-5144
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- version/ubuntu/15.10
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/1.4.20
- version/djangoproject django/1.5
- version/djangoproject django/1.5-alpha
- version/djangoproject django/1.5-beta
- version/djangoproject django/1.5.1
- version/djangoproject django/1.5.2
- version/djangoproject django/1.5.3
- version/djangoproject django/1.5.4
- version/djangoproject django/1.5.5
- version/djangoproject django/1.5.6
- version/djangoproject django/1.5.7
- version/djangoproject django/1.5.8
- version/djangoproject django/1.5.9
- version/djangoproject django/1.5.10
- version/djangoproject django/1.5.11
- version/djangoproject django/1.5.12
- version/djangoproject django/1.6
- version/djangoproject django/1.6-beta1
- version/djangoproject django/1.6-beta2
- version/djangoproject django/1.6-beta3
- version/djangoproject django/1.6-beta4
- version/djangoproject django/1.6.1
- version/djangoproject django/1.6.2
- version/djangoproject django/1.6.3
- version/djangoproject django/1.6.4
- version/djangoproject django/1.6.5
- version/djangoproject django/1.6.6
- version/djangoproject django/1.6.7
- version/djangoproject django/1.6.8
- version/djangoproject django/1.6.9
- version/djangoproject django/1.6.10
- version/djangoproject django/1.7-beta1
- version/djangoproject django/1.7-beta2
- version/djangoproject django/1.7-beta3
- version/djangoproject django/1.7-beta4
- version/djangoproject django/1.7-rc1
- version/djangoproject django/1.7-rc2
- version/djangoproject django/1.7-rc3
- version/djangoproject django/1.7.1
- version/djangoproject django/1.7.2
- version/djangoproject django/1.7.3
- version/djangoproject django/1.7.4
- version/djangoproject django/1.7.5
- version/djangoproject django/1.7.6
- version/djangoproject django/1.7.7
- version/djangoproject django/1.7.8
- version/djangoproject django/1.7.9
- version/djangoproject django/1.8-beta1
- version/djangoproject django/1.8.0
- version/djangoproject django/1.8.1
- version/djangoproject django/1.8.2
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0
- vendor/oracle
- canonical/oracle solaris sparc
- version/oracle solaris sparc/11.3