Описание
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
An HTTP detection flaw was discovered in Django. If deployed behind a reverse-proxy connecting to Django via HTTPS, django.http.HttpRequest.scheme() incorrectly detected client requests made using HTTP as using HTTPS. This resulted in incorrect results for is_secure() and build_absolute_uri(), and HTTP requests were not correctly redirected to HTTPS in accordance with SECURE_SSL_REDIRECT.
Отчет
This issue does not affect any versions of python-django as shipped with Red Hat Update Infrastructure for Cloud Providers as the load balancer should not be configured to forward HTTP requests.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | python-django | Not affected | ||
| Red Hat Ceph Storage 3 | python-django | Not affected | ||
| Red Hat Certification for Red Hat Enterprise Linux 7 | python-django | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | python-django | Affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) | python-django | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | python-django | Will not fix | ||
| Red Hat Storage 3 | python-django | Affected | ||
| Red Hat Update Infrastructure 3 for Cloud Providers | python-django | Not affected | ||
| Red Hat OpenStack Platform 13.0 (Queens) | python-django | Fixed | RHSA-2020:4390 | 28.10.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1. ...
Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Уязвимость компонента django.http.HttpRequest.scheme библиотеки Django для языка программирования Python, позволяющая нарушителю получить доступ к защищаемой информации
EPSS
4.8 Medium
CVSS3