Bug 1788425 (CVE-2019-19844) - CVE-2019-19844 Django: crafted email address allows account takeover
Summary: CVE-2019-19844 Django: crafted email address allows account takeover
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-19844
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1789418 1788426 1788427 1788428 1788429 1788769 1789033 1789182 1789183 1789184 1789224 1789225 1789234 1789417
Blocks: 1788430
TreeView+ depends on / blocked
 
Reported: 2020-01-07 07:38 UTC by msiddiqu
Modified: 2021-12-14 18:47 UTC (History)
36 users (show)

Fixed In Version: Django 3.0.1, Django 2.2.9, Django 1.11.27
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django where it did not sanitize the email input from the password recovery form. An attacker with the knowledge of the victim user’s email address could use this flaw to reset the victim user’s password and retrieve the reset link to gain access and take over their account.
Clone Of:
Environment:
Last Closed: 2021-10-28 01:29:31 UTC
Embargoed:


Attachments (Terms of Use)

Description msiddiqu 2020-01-07 07:38:15 UTC
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

External References:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

References: 

https://seclists.org/oss-sec/2019/q4/163

Comment 1 msiddiqu 2020-01-07 07:40:08 UTC
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1788427]
Affects: epel-8 [bug 1788429]
Affects: fedora-all [bug 1788426]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1788428]

Comment 2 Summer Long 2020-01-08 03:30:58 UTC
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1788769]

Comment 7 Riccardo Schirone 2020-01-08 15:45:02 UTC
This vulnerability can be exploited in applications that use PasswordResetForm.

Comment 16 Summer Long 2020-01-09 22:27:09 UTC
Mitigation:

Unless the password-reset form is disabled, this flaw can only be resolved by applying updates.

Comment 20 Summer Long 2021-01-14 05:36:00 UTC
Statement:

This flaw depends upon the use of Django's password reset functionality. The following products ship the flawed code but do not use this functionality:
* Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3
* Red Hat Gluster Storage 3
* Red Hat Certified Cloud and Service Provider Certification 1
* Red Hat OpenStack Platform, all versions.  No updates will be provided at this time for the RHOSP django package.
* Red Hat Satellite 6, all versions


Note You need to log in before you can comment on or make changes to this bug.