Bug 1781269 (CVE-2019-19118) - CVE-2019-19118 django: privilege escalation in the django admin
Summary: CVE-2019-19118 django: privilege escalation in the django admin
Keywords:
Status: NEW
Alias: CVE-2019-19118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1781271 1781272 1781273 1781312 1781361 1781270
Blocks: 1781274
TreeView+ depends on / blocked
 
Reported: 2019-12-09 16:50 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-01-15 00:45 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-12-09 16:50:47 UTC
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)

Reference:
https://www.openwall.com/lists/oss-security/2019/12/02/1

Comment 1 Guilherme de Almeida Suckevicz 2019-12-09 16:51:12 UTC
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1781271]
Affects: epel-8 [bug 1781272]
Affects: fedora-all [bug 1781270]
Affects: openstack-rdo [bug 1781273]

Comment 2 Miro Hrončok 2019-12-09 16:56:10 UTC
This does not affect Django 1.x? Because that's what we ship in EPEL 7. And in the Django module. And in the python2-django1.11 package.

This does not affect Django 3.0?  Because that's what we ship in Fedora 32 (rawhide).

Comment 3 Miro Hrončok 2019-12-09 16:58:57 UTC
3.0 is affected as well, according to https://www.openwall.com/lists/oss-security/2019/12/02/1

1.x is probably unsupported at this point, so we would need to find out ourselves. May I ask to open Bugzillas for https://src.fedoraproject.org/modules/django and https://src.fedoraproject.org/rpms/python2-django1.11 ?

Comment 4 Guilherme de Almeida Suckevicz 2019-12-09 18:16:03 UTC
Created python2-django1.11 tracking bugs for this issue:

Affects: fedora-all [bug 1781312]

Comment 5 Guilherme de Almeida Suckevicz 2019-12-09 18:20:45 UTC
(In reply to Miro Hrončok from comment #3)
> 3.0 is affected as well, according to
> https://www.openwall.com/lists/oss-security/2019/12/02/1
> 
> 1.x is probably unsupported at this point, so we would need to find out
> ourselves. May I ask to open Bugzillas for
> https://src.fedoraproject.org/modules/django and
> https://src.fedoraproject.org/rpms/python2-django1.11 ?

Please use the following trackers:
django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270
python2-django1.11: https://bugzilla.redhat.com/show_bug.cgi?id=1781312

Comment 6 Miro Hrončok 2019-12-09 19:19:55 UTC
(In reply to Guilherme de Almeida Suckevicz from comment #5)
> (In reply to Miro Hrončok from comment #3)
> > 3.0 is affected as well, according to
> > https://www.openwall.com/lists/oss-security/2019/12/02/1
> > 
> > 1.x is probably unsupported at this point, so we would need to find out
> > ourselves. May I ask to open Bugzillas for
> > https://src.fedoraproject.org/modules/django and
> > https://src.fedoraproject.org/rpms/python2-django1.11 ?
> 
> Please use the following trackers:
> django: https://bugzilla.redhat.com/show_bug.cgi?id=1781270


This is for the nonmodular package. Since the modular one is in completely different version, different upstream and different Fedora maintainer, could you please create a separate bug for the module?

Comment 7 Guilherme de Almeida Suckevicz 2019-12-09 21:01:36 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1781361]

Comment 9 Hardik Vyas 2019-12-30 08:35:31 UTC
External References:

https://www.djangoproject.com/weblog/2019/dec/02/security-releases/

Comment 10 Hardik Vyas 2019-12-30 09:27:20 UTC
Statement:

The version of Django shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 is not affected, as edit-permissions are not enabled.


Note You need to log in before you can comment on or make changes to this bug.