Bug 2048775 (CVE-2022-22818)
| Summary: | CVE-2022-22818 django: Possible XSS via '{% debug %}' template tag | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amctagga, anharris, apevec, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, caswilli, cmeyers, davidn, dbecker, ehelms, flucifre, gblomqui, gmeno, hvyas, jal233, jcammara, jhardy, jjoyce, jobarker, jschluet, jsherril, jwong, kaycoth, lhh, lpeer, lzap, mabashia, mbenjamin, mburns, mhackett, mhroncok, mhulan, michel, mmccune, mrunge, mulliken, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, rchan, rdopiera, relrod, rhos-maint, rpetrell, sclewis, sdoran, security-response-team, sgallagh, slavek.kabrda, slinaber, smcdonal, sostapov, tkuratom, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | django 4.0.2, django 3.2.12, django 2.2.27 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-05 21:22:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2049326, 2049328, 2051701, 2051702, 2051703, 2037754, 2048894, 2048895, 2049330, 2049332, 2050718, 2050729, 2050730, 2050745, 2050846, 2056085 | ||
| Bug Blocks: | 2048788 | ||
| Attachments: | |||
Created attachment 1858140 [details]
0001-2.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858141 [details]
0001-3.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858142 [details]
0001-4.0.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858143 [details]
0001-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-debug-te.patch
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 2049326] Created python-django tracking bugs for this issue: Affects: epel-all [bug 2049328] Affects: fedora-all [bug 2049332] Affects: openstack-rdo [bug 2049330] This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-22818 This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:8853 https://access.redhat.com/errata/RHSA-2022:8853 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:8872 https://access.redhat.com/errata/RHSA-2022:8872 |
The ``{% debug %}`` template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``.