Bug 1788425 (CVE-2019-19844)
Summary: | CVE-2019-19844 Django: crafted email address allows account takeover | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | unspecified | CC: | amctagga, anharris, apevec, bbuckingham, bcourt, bkearney, bniver, btotty, cbuissar, flucifre, gmeno, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mbenjamin, mburns, mhackett, mhroncok, michel, mmccune, mrunge, rchan, rjerrido, sclewis, sgallagh, sisharma, slavek.kabrda, slinaber, sokeeffe, sparks, vereddy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Django 3.0.1, Django 2.2.9, Django 1.11.27 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Django where it did not sanitize the email input from the password recovery form. An attacker with the knowledge of the victim user’s email address could use this flaw to reset the victim user’s password and retrieve the reset link to gain access and take over their account.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 01:29:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1788428, 1789418, 1788426, 1788427, 1788429, 1788769, 1789033, 1789182, 1789183, 1789184, 1789224, 1789225, 1789234, 1789417 | ||
Bug Blocks: | 1788430 |
Description
msiddiqu
2020-01-07 07:38:15 UTC
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1788427] Affects: epel-8 [bug 1788429] Affects: fedora-all [bug 1788426] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1788428] Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1788769] Upstream patches: * 3.0.x: https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26 * 2.2.x: https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e * 1.11.x: https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2 This vulnerability can be exploited in applications that use PasswordResetForm. Mitigation: Unless the password-reset form is disabled, this flaw can only be resolved by applying updates. Statement: This flaw depends upon the use of Django's password reset functionality. The following products ship the flawed code but do not use this functionality: * Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 * Red Hat Gluster Storage 3 * Red Hat Certified Cloud and Service Provider Certification 1 * Red Hat OpenStack Platform, all versions. No updates will be provided at this time for the RHOSP django package. * Red Hat Satellite 6, all versions |