SB2019071826 - Cleartext transmission of sensitive information in py-django (Alpine package)
Published: July 18, 2019
Security Bulletin ID
SB2019071826
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cleartext transmission of sensitive information (CVE-ID: CVE-2019-12781)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to django.http.HttpRequest.scheme, when deployed behind a reverse-proxy, does not correctly treat requests sent over HTTP protocol, assuming that a secure protocol is used for communication. A remote attacker with ability to force victim to use HTTP instead of HTTPS protocol can perform man-in-the-middle (MitM) attack and intercept communication in cleat text.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=05df5a7eeb09061bdf012d07511da2456cb4f394
- https://git.alpinelinux.org/aports/commit/?id=2bf8de409de29218b845158bf2dcfdce10b33611
- https://git.alpinelinux.org/aports/commit/?id=567a56572370de5becee0aadddedd2d09a8b1add
- https://git.alpinelinux.org/aports/commit/?id=5e2845599266000b2347b98ebba695ac77e015a0
- https://git.alpinelinux.org/aports/commit/?id=b6c78e1959e4b0971f6f4d301c1a284692dc2b08