Bug 1715915 (CVE-2019-12308) - CVE-2019-12308 django: missing URL validation by AdminURLFieldWidget leads to generation of clickable unsafe JavaScript link causing cross site scripting
Summary: CVE-2019-12308 django: missing URL validation by AdminURLFieldWidget leads to...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12308
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1716763 1716764 1720832 1727669 1727670 1727671
Blocks: 1715928
TreeView+ depends on / blocked
 
Reported: 2019-05-31 15:45 UTC by msiddiqu
Modified: 2021-10-27 03:28 UTC (History)
26 users (show)

Fixed In Version: Django 2.2.2, Django 2.1.9, Django 1.11.21
Doc Type: If docs needed, set a value
Doc Text:
A validation flaw was found in Django's AdminURLFieldWidget. The clickable Current URL link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. An unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in a clickable JavaScript link.
Clone Of:
Environment:
Last Closed: 2021-10-27 03:28:57 UTC

Attachments (Terms of Use)

Description msiddiqu 2019-05-31 15:45:06 UTC 
The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
Comment 1 Dhananjay Arunesh 2019-06-04 05:06:39 UTC 
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

Reference:
http://www.openwall.com/lists/oss-security/2019/06/03/2
https://docs.djangoproject.com/en/dev/releases/1.11.21/
https://docs.djangoproject.com/en/dev/releases/2.1.9/
https://docs.djangoproject.com/en/dev/releases/2.2.2/
https://docs.djangoproject.com/en/dev/releases/security/
https://www.djangoproject.com/weblog/2019/jun/03/security-releases/

Upstream Patch:
https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673
https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62
https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b
Comment 2 Dhananjay Arunesh 2019-06-04 05:10:12 UTC 
Created python-django tracking bugs for this issue:

Affects: fedora-30 [bug 1716763]
Comment 3 Dhananjay Arunesh 2019-06-04 05:10:33 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1716764]
Comment 4 Summer Long 2019-06-04 06:51:14 UTC 
External References:

https://docs.djangoproject.com/en/2.1/releases/2.1.9/
https://docs.djangoproject.com/en/2.2/releases/1.11.21/
https://docs.djangoproject.com/en/2.2/releases/2.2.2/
Comment 5 Summer Long 2019-06-04 06:53:47 UTC 
Acknowledgments:

Name: the Django project
Comment 17 Riccardo Schirone 2019-06-19 13:08:15 UTC 
Statement:

* This issue affects the version of python-django as shipped with Red Hat Gluster Storage 3 as it contains the vulnerable code.
* This issue does not affect Red Hat Satellite 6, versions 6.3, 6.4 and 6.5, because its django component only returns content-type as JSON, which does not lead to cross site scripting.
* This issue does not affect Red Hat Update Infrastructure 3 because it does not use any of the Widgets provided by python-django, including AdminURLFieldWidget.
* This issue does not affect redhat-certification because it does not use AdminURLFieldWidget from python-django package.
Comment 19 Summer Long 2019-07-08 01:02:47 UTC 
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1727671]
Note You need to log in before you can comment on or make changes to this bug.