Description
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP.
Remediation
References
Related Vulnerabilities
Apache HTTP Server CVE-2013-6438 Vulnerability (CVE-2013-6438)
WordPress Plugin SupportEzzy Ticket System Cross-Site Scripting (1.2.5)
OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-0702)
SharePoint Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-1202)