Bug 1302699 (CVE-2016-2048)

Summary: CVE-2016-2048 python-django: user with "change" but not "add" permission can create objects for ModelAdmin
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 1.9.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-02 07:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Prpič 2016-01-28 12:13:56 UTC 
The following flaw was found in Django:

If a "ModelAdmin" uses "save_as=True" (not the default), the admin provides an option when editing objects to "Save as new". A regression in Django 1.9 prevented that form submission from raising a "Permission Denied" error for users without the "add" permission.

This issue affects upstream version 1.9 of Django; versions 1.8 and older are not affected.
Comment 1 Martin Prpič 2016-01-28 12:14:57 UTC 
Acknowledgements:

Red Hat would like to thank the upstream Django project for reporting this issue.
Comment 2 Martin Prpič 2016-02-02 07:43:20 UTC 
Public via:

External References:

https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/