| Summary: | CVE-2020-13596 django: possible XSS via admin ForeignKeyRawIdWidget | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | andrea.manzi, apevec, bbuckingham, bcourt, bkearney, btotty, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mhroncok, michal.simon, michel, mmccune, mrunge, nmoumoul, pviktori, rchan, rdopiera, rjerrido, sclewis, sgallagh, slavek.kabrda, slinaber, sokeeffe |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Django-3.0.7, Django-2.2.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Django, where the query parameters for the admin widget `ForeignKeyRawIdWidget` were not properly URL encoded. This flaw allows an attacker to perform a Cross-site scripting (XSS) attack. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 18:12:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1843629, 1843630, 1843626, 1843627, 1843631, 1844992, 1845335, 1845336, 1845337, 1845525, 1845582, 1846525, 1851982 | ||
| Bug Blocks: | 1843628 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-06-03 16:48:19 UTC
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1843630] Created python-django tracking bugs for this issue: Affects: epel-all [bug 1843626] Affects: fedora-all [bug 1843627] Affects: openstack-rdo [bug 1843631] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1843629] External References: https://www.djangoproject.com/weblog/2020/jun/03/security-releases Patches have been applied to Django's master branch and the 3.1, 3.0, and 2.2 release branches. Master branch: https://github.com/django/django/commit/2dd4d110c159d0c81dff42eaead2c378a0998735 3.1 release branch: https://github.com/django/django/commit/49d7cc19e33a104bb23f7ae1dbb1240b4f6c40f9 3.0 release branch: https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38 2.2 release branch: https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815 Created python2-django1.11 tracking bugs for this issue: Affects: fedora-all [bug 1845525] Statement: The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw: * Red Hat Satellite 6 * Red Hat Update Infrastructure 3 * Red Hat OpenStack Platform 13, 15, & 16 * Red Hat Gluster Storage 3 The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS. |