修复版本
1.2.8
1.2.7
1.2.7
CVE-2011-4140 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the Django web framework. This flaw allows remote attackers to craft malicious requests that appear to originate from legitimate users, potentially leading to unauthorized data modification or actions. The vulnerability impacts Django versions 1.2.7 and earlier, as well as versions 1.3.x prior to 1.3.1. A fix is available in Django 1.2.7.
An attacker exploiting CVE-2011-4140 could leverage a DNS CNAME record and JavaScript within a web page to bypass Django's CSRF protection. This allows them to trigger actions on behalf of authenticated users without their knowledge or consent. For example, an attacker could modify user profiles, change passwords, or initiate unauthorized transactions. The blast radius extends to any application built using the vulnerable Django versions, and the potential for widespread impact is significant, particularly if the application handles sensitive user data or financial transactions. The vulnerability's reliance on DNS manipulation adds a layer of complexity but doesn't significantly reduce the risk.
CVE-2011-4140 was published on October 19, 2011. While no active campaigns targeting this specific vulnerability have been publicly reported, the general nature of CSRF vulnerabilities makes them a persistent threat. The vulnerability is not listed on KEV or EPSS. Public Proof-of-Concept (POC) code is available, demonstrating the feasibility of exploitation. The relatively old age of the vulnerability means that many systems may still be vulnerable, particularly those with outdated software.
漏洞利用状态
EPSS
0.34% (57% 百分位)
CVSS 向量
The primary mitigation for CVE-2011-4140 is to upgrade to Django version 1.2.7 or later. This version includes a fix that properly handles HTTP Host headers, preventing the CSRF bypass. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out requests containing suspicious DNS CNAME manipulations. Additionally, carefully review and validate all user input to minimize the potential impact of successful CSRF attacks. After upgrading, confirm the fix by attempting to trigger a CSRF attack with a manipulated Host header; the request should be rejected.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2011-4140 is a Cross-Site Request Forgery (CSRF) vulnerability in Django versions 1.2.7 and earlier, and 1.3.x before 1.3.1. It allows attackers to forge requests via DNS CNAME manipulation and JavaScript, potentially leading to unauthorized actions.
You are affected if you are using Django versions 1.2.7 or earlier, or versions 1.3.x before 1.3.1. Check your Django version using python -c 'import django; print(django.get_version())'.
Upgrade to Django version 1.2.7 or later. This version includes the fix for the CSRF vulnerability. If upgrading is not possible, implement WAF rules to filter suspicious requests.
While no active campaigns targeting this specific CVE have been publicly reported, the general nature of CSRF vulnerabilities means they remain a persistent threat. The vulnerability's age increases the likelihood of exploitation.
Refer to the Django security advisory for CVE-2011-4140: https://security.djangoproject.com/advisories/CVE-2011-4140/
上传你的 requirements.txt 文件,立即知道是否受影响。