#VU18967 Cleartext transmission of sensitive information in Django - CVE-2019-12781

Cybersecurity Help s.r.o.

Published: 2019-07-02

Vulnerability identifier: #VU18967

Vulnerability risk: Medium

CVSSv4.0: 1.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-12781

CWE-ID: CWE-319

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Django
Web applications / CMS

Vendor: Django Software Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to django.http.HttpRequest.scheme, when deployed behind a reverse-proxy, does not correctly treat requests sent over HTTP protocol, assuming that a secure protocol is used for communication. A remote attacker with ability to force victim to use HTTP instead of HTTPS protocol can perform man-in-the-middle (MitM) attack and intercept communication in cleat text.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Django: 1.11.1 - 1.11.21, 2.1.0 - 2.2.2

External links
https://www.openwall.com/lists/oss-security/2019/07/01/3
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/forum/#!topic/django-announce/Is4kLY9ZcZQ
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat OpenStack Platform 15 update for python-django

OpenSUSE Linux update for python-Django

Cleartext transmission of sensitive information in py-django (Alpine package)

Arch Linux update for python-django

Arch Linux update for python2-django

Debian update for python-django

MitM attack in Django