Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view. External Reference: https://www.djangoproject.com/weblog/2019/jan/04/security-releases/ Upstream Patches: https://github.com/django/django/commit/1ecc0a395 https://github.com/django/django/commit/1cd00fcf5 https://github.com/django/django/commit/9f4ed7c94 https://github.com/django/django/commit/64d2396e8
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-29 [bug 1663725] Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1663724] Affects: fedora-all [bug 1663723]
All python-django versions provided by Red Hat OpenStack Platform are affected. openstack -> python-django ============================ 8 -> 1.8.18-1 8(optools) -> 1.8.14-1 9 -> 1.8.18-1 9(optools) -> 1.8.14-1 10 -> 1.8.19-1 13 -> 1.11.11-1 14 -> 1.11.13-2
Statement: This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems. Red Hat Satellite is not affected, since python-django is only used on Pulp API, which only returns JSON data.