The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through
1.3.1 does not properly handle web-server configurations supporting
arbitrary HTTP Host headers, which allows remote attackers to trigger
unauthenticated forged requests via vectors involving a DNS CNAME record
and a web page containing JavaScript code.
 jdstrand> Upstream does not consider this a bug in Django but instead advises
  that web servers be properly configured: "To avoid this potential attack, we
  recommend that users of Django ensure their web-server configuration always
  validates incoming HTTP Host headers against the expected host name,
  disallows requests with no Host header, and that the web server not be
  configured with a catch-all virtual host which forwards requests to a Django
 jdstrand> in addition to the vulnerabilities python-django disclosed, they
  also posted 3 advisories. 2 of them did not receive a CVE, but this one did.
  Upstream is not planning on fixing the issue as it is depenedent on an
  insecure server configuration, as such there is nothing to be done in
More Information

Updated: 2019-03-26 12:28:04 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)