The ``{% debug %}`` template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Created attachment 1858140 [details] 0001-2.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858141 [details] 0001-3.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858142 [details] 0001-4.0.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch
Created attachment 1858143 [details] 0001-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-debug-te.patch
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 2049326] Created python-django tracking bugs for this issue: Affects: epel-all [bug 2049328] Affects: fedora-all [bug 2049332] Affects: openstack-rdo [bug 2049330]
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-22818
This issue has been addressed in the following products: Red Hat Satellite 6.12 for RHEL 8 Via RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:8853 https://access.redhat.com/errata/RHSA-2022:8853
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:8872 https://access.redhat.com/errata/RHSA-2022:8872