CVE-2015-5144: Django Vulnerable to HTTP Response Splitting Attack
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79015%
CWE
Published
5/17/2022
Updated
9/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
django | pip | < 1.4.21 | 1.4.21 |
Django | pip | >= 1.5, < 1.7.9 | 1.7.9 |
Django | pip | >= 1.8a1, < 1.8.3 | 1.8.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from regex patterns using '$' (which matches at string end or before a trailing newline) instead of '\Z' (strict end-of-string). This allowed newline characters in validated input. The commit diffs (e.g., 1ba1cdc) explicitly modify these validators' regexes in django/core/validators.py
, and the CVE description directly names these four validators as attack vectors. High confidence is justified by the direct correlation between the vulnerability report, patch changes, and affected functions.