Bug 1486451 – CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1486451 - (CVE-2017-12794) CVE-2017-12794 python-django: Possible XSS in traceback section of technical 500 debug page

Summary:	CVE-2017-12794 python-django: Possible XSS in traceback section of technical ...

Status:	NEW

Aliases:	CVE-2017-12794

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20170905,reported=2...
Keywords:	Security

Depends On:	1488764
Blocks:
	Show dependency tree / graph

Reported:	2017-08-29 15:11 EDT by Pedro Sampaio
Modified:	2018-06-29 18:27 EDT (History)
CC List:	36 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch for Django master (9.06 KB, patch) 2017-08-29 15:15 EDT, Pedro Sampaio	no flags	Details \| Diff
Patch for Django 1.11.x (8.21 KB, patch) 2017-08-29 15:16 EDT, Pedro Sampaio	no flags	Details \| Diff
Patch for Django 1.10.x (7.28 KB, patch) 2017-08-29 15:16 EDT, Pedro Sampaio	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2017-08-29 15:11:00 EDT

In older versions, HTML autoescaping was disabled in a portion of the
template for the technical 500 debug page. Given the right
circumstances, this allowed a cross-site scripting attack. This
vulnerability shouldn't affect most production sites since you shouldn't
run with ``DEBUG = True`` (which makes this page accessible) in your
production settings.

Affected versions
=================

* Django master development branch
* Django 1.11
* Django 1.10

Django 1.8 is unaffected and Django 1.9 reached end-of-life in April 2017.

Comment 1 Pedro Sampaio 2017-08-29 15:15 EDT

Created attachment 1319747 [details]
Patch for Django master

Comment 2 Pedro Sampaio 2017-08-29 15:16 EDT

Created attachment 1319748 [details]
Patch for Django 1.11.x

Comment 3 Pedro Sampaio 2017-08-29 15:16 EDT

Created attachment 1319749 [details]
Patch for Django 1.10.x

Comment 4 Andrej Nemec 2017-09-06 03:55:28 EDT

External References:

https://www.djangoproject.com/weblog/2017/sep/05/security-releases/

Comment 5 Andrej Nemec 2017-09-06 03:56:05 EDT

Created python-django tracking bugs for this issue:

Affects: fedora-all [bug 1488764]

Note You need to log in before you can comment on or make changes to this bug.

apevec
bcourt
bkabrda
bkearney
cbillett
chrisw
gmollett
jakub.dornak
jal233
jjoyce
jmatthew
jschluet
kbasil
lhh
lpeer
markmc
mburns
mhroncok
michel
mmccune
mrike
mrunge
ohadlevy
rbryant
rhos-maint
sclewis
security-response-team
sgallagh
sisharma
slinaber
smooge
srevivo
tdecacqu
tjay
tomckay
tsanders