GHSA-6c7v-2f49-8h26

Suggest an improvement
Source
https://github.com/advisories/GHSA-6c7v-2f49-8h26
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-6c7v-2f49-8h26/GHSA-6c7v-2f49-8h26.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6c7v-2f49-8h26
Aliases
Published
2019-07-03T20:37:25Z
Modified
2024-09-18T16:22:47.886844Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Django Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Details

An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECUREPROXYSSLHEADER and SECURESSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.

References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1
Fixed
2.1.10

Affected versions

2.*

2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.7
2.1.8
2.1.9

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.3

Affected versions

2.*

2.2
2.2.1
2.2.2

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.11
Fixed
1.11.22

Affected versions

1.*

1.11
1.11.1
1.11.2
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11.10
1.11.11
1.11.12
1.11.13
1.11.14
1.11.15
1.11.16
1.11.17
1.11.18
1.11.20
1.11.21