Bug 1663722 (CVE-2019-3498)

Summary: CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkearney, cbillett, sisharma, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-django 1.11.18, python-django 2.0.10, python-django 2.1.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:22:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1663723, 1663724, 1663725, 1663801, 1663802, 1663803, 1670115, 1670137, 1694359, 1694360, 1694361, 1694362, 1694363    
Bug Blocks: 1663727    

Description Sam Fowler 2019-01-07 02:15:41 UTC 
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.


External Reference:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/


Upstream Patches:

https://github.com/django/django/commit/1ecc0a395
https://github.com/django/django/commit/1cd00fcf5
https://github.com/django/django/commit/9f4ed7c94
https://github.com/django/django/commit/64d2396e8
Comment 1 Sam Fowler 2019-01-07 02:15:58 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-29 [bug 1663725]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1663724]
Affects: fedora-all [bug 1663723]
Comment 6 Nick Tait 2019-03-30 18:20:10 UTC 
All python-django versions provided by Red Hat OpenStack Platform are affected.

openstack   -> python-django
============================
8           -> 1.8.18-1
8(optools)  -> 1.8.14-1
9           -> 1.8.18-1
9(optools)  -> 1.8.14-1
10          -> 1.8.19-1
13          -> 1.11.11-1
14          -> 1.11.13-2
Comment 10 Richard Maciel Costa 2019-05-29 17:43:49 UTC 
Statement:

This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.

Red Hat Satellite is not affected, since python-django is only used on Pulp API, which only returns JSON data.