High severityNVD Advisory· Published Jul 14, 2015· Updated Jun 17, 2026
CVE-2015-5144
CVE-2015-5144
Description
Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | < 1.4.21 | 1.4.21 |
DjangoPyPI | >= 1.5, < 1.7.9 | 1.7.9 |
DjangoPyPI | >= 1.8a1, < 1.8.3 | 1.8.3 |
Affected products
62cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 50 more
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.4.20
- cpe:2.3:a:djangoproject:django:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:alpha:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.5:beta:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:-:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.6:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:beta4:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc2:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.7:rc3:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8:beta1:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- ghsa-coords4 versionspkg:pypi/djangopkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%201.0pkg:rpm/suse/python-Django&distro=SUSE%20Enterprise%20Storage%202pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%205
< 1.4.21+ 3 more
- (no CPE)range: < 1.4.21
- (no CPE)range: < 1.6.11-8.1
- (no CPE)range: < 1.6.11-3.1
- (no CPE)range: < 1.6.11-10.2
Patches
Vulnerability mechanics
References
21- www.debian.org/security/2015/dsa-3305nvdThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.htmlnvdThird Party AdvisoryWEB
- www.ubuntu.com/usn/USN-2671-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-q5qw-4364-5hhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-5144ghsaADVISORY
- www.djangoproject.com/weblog/2015/jul/08/security-releases/nvdVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2015-November/172084.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-10/msg00043.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2015-10/msg00046.htmlnvdWEB
- github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.4.21.txtghsaWEB
- github.com/django/django/commit/1ba1cdce7d58e6740fe51955d945b56ae51d072aghsaWEB
- github.com/django/django/commit/574dd5e0b0fbb877ae5827b1603d298edc9bb2a0ghsaWEB
- github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22cghsaWEB
- github.com/django/django/commit/ae49b4d994656bc037513dcd064cb9ce5bb85649ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-10.yamlghsaWEB
- security.gentoo.org/glsa/201510-06nvdWEB
- web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820ghsaWEB
- web.archive.org/web/20200228050526/http://www.securityfocus.com/bid/75665ghsaWEB
- www.djangoproject.com/weblog/2015/jul/08/security-releasesghsaWEB
- www.securityfocus.com/bid/75665nvd
- www.securitytracker.com/id/1032820nvd
News mentions
0No linked articles in our index yet.