Bug 1843625 (CVE-2020-13596)

Summary: CVE-2020-13596 django: possible XSS via admin ForeignKeyRawIdWidget
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andrea.manzi, apevec, bbuckingham, bcourt, bkearney, btotty, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mhroncok, michal.simon, michel, mmccune, mrunge, nmoumoul, pviktori, rchan, rdopiera, rjerrido, sclewis, sgallagh, slavek.kabrda, slinaber, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Django-3.0.7, Django-2.2.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django, where the query parameters for the admin widget `ForeignKeyRawIdWidget` were not properly URL encoded. This flaw allows an attacker to perform a Cross-site scripting (XSS) attack. The highest threat from this vulnerability is to confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 18:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1843629, 1843630, 1843626, 1843627, 1843631, 1844992, 1845335, 1845336, 1845337, 1845525, 1845582, 1846525, 1851982    
Bug Blocks: 1843628    

Description Guilherme de Almeida Suckevicz 2020-06-03 16:48:19 UTC
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ensures query parameters are correctly URL encoded.


Comment 1 Guilherme de Almeida Suckevicz 2020-06-03 16:48:59 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1843630]

Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1843626]
Affects: fedora-all [bug 1843627]
Affects: openstack-rdo [bug 1843631]

Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1843629]

Comment 3 Yadnyawalk Tale 2020-06-08 06:20:35 UTC
External References:


Comment 10 Riccardo Schirone 2020-06-09 13:00:57 UTC
Created python2-django1.11 tracking bugs for this issue:

Affects: fedora-all [bug 1845525]

Comment 19 Hardik Vyas 2020-06-29 14:44:05 UTC

The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw:
* Red Hat Satellite 6
* Red Hat Update Infrastructure 3
* Red Hat OpenStack Platform 13, 15, & 16
* Red Hat Gluster Storage 3

The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS.