Bug 1788425 (CVE-2019-19844)

Summary: CVE-2019-19844 Django: crafted email address allows account takeover
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: amctagga, anharris, apevec, bbuckingham, bcourt, bkearney, bniver, btotty, cbuissar, flucifre, gmeno, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, rchan, rjerrido, sclewis, sgallagh, sisharma, slavek.kabrda, slinaber, sokeeffe, sparks, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 3.0.1, Django 2.2.9, Django 1.11.27 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django where it did not sanitize the email input from the password recovery form. An attacker with the knowledge of the victim user’s email address could use this flaw to reset the victim user’s password and retrieve the reset link to gain access and take over their account.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:29:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1788428, 1789418, 1788426, 1788427, 1788429, 1788769, 1789033, 1789182, 1789183, 1789184, 1789224, 1789225, 1789234, 1789417    
Bug Blocks: 1788430    

Description msiddiqu 2020-01-07 07:38:15 UTC 
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

External References:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

References: 

https://seclists.org/oss-sec/2019/q4/163
Comment 1 msiddiqu 2020-01-07 07:40:08 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1788427]
Affects: epel-8 [bug 1788429]
Affects: fedora-all [bug 1788426]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1788428]
Comment 2 Summer Long 2020-01-08 03:30:58 UTC 
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1788769]
Comment 3 Summer Long 2020-01-08 04:11:27 UTC 
Upstream patches:
* 3.0.x: https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26
* 2.2.x: https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e
* 1.11.x: https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2
Comment 7 Riccardo Schirone 2020-01-08 15:45:02 UTC 
This vulnerability can be exploited in applications that use PasswordResetForm.
Comment 16 Summer Long 2020-01-09 22:27:09 UTC 
Mitigation:

Unless the password-reset form is disabled, this flaw can only be resolved by applying updates.
Comment 20 Summer Long 2021-01-14 05:36:00 UTC 
Statement:

This flaw depends upon the use of Django's password reset functionality. The following products ship the flawed code but do not use this functionality:
* Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3
* Red Hat Gluster Storage 3
* Red Hat Certified Cloud and Service Provider Certification 1
* Red Hat OpenStack Platform, all versions.  No updates will be provided at this time for the RHOSP django package.
* Red Hat Satellite 6, all versions