Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) External References: https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ References: https://seclists.org/oss-sec/2019/q4/163
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1788427] Affects: epel-8 [bug 1788429] Affects: fedora-all [bug 1788426] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1788428]
Created python-django tracking bugs for this issue: Affects: openstack-rdo [bug 1788769]
Upstream patches: * 3.0.x: https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26 * 2.2.x: https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e * 1.11.x: https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2
This vulnerability can be exploited in applications that use PasswordResetForm.
Mitigation: Unless the password-reset form is disabled, this flaw can only be resolved by applying updates.
Statement: This flaw depends upon the use of Django's password reset functionality. The following products ship the flawed code but do not use this functionality: * Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 * Red Hat Gluster Storage 3 * Red Hat Certified Cloud and Service Provider Certification 1 * Red Hat OpenStack Platform, all versions. No updates will be provided at this time for the RHOSP django package. * Red Hat Satellite 6, all versions