Bug 1663722 (CVE-2019-3498) - CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Summary: CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Alias: CVE-2019-3498
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1670137 1663723 1663724 1663725 1663801 1663802 1663803 1670115 1694359 1694360 1694361 1694362 1694363
Blocks: 1663727
TreeView+ depends on / blocked
Reported: 2019-01-07 02:15 UTC by Sam Fowler
Modified: 2021-10-27 03:22 UTC (History)
4 users (show)

Fixed In Version: python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:22:22 UTC

Attachments (Terms of Use)

Description Sam Fowler 2019-01-07 02:15:41 UTC
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.

External Reference:


Upstream Patches:


Comment 1 Sam Fowler 2019-01-07 02:15:58 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-29 [bug 1663725]

Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1663724]
Affects: fedora-all [bug 1663723]

Comment 6 Nick Tait 2019-03-30 18:20:10 UTC
All python-django versions provided by Red Hat OpenStack Platform are affected.

openstack   -> python-django
8           -> 1.8.18-1
8(optools)  -> 1.8.14-1
9           -> 1.8.18-1
9(optools)  -> 1.8.14-1
10          -> 1.8.19-1
13          -> 1.11.11-1
14          -> 1.11.13-2

Comment 10 Richard Maciel Costa 2019-05-29 17:43:49 UTC

This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.

Red Hat Satellite is not affected, since python-django is only used on Pulp API, which only returns JSON data.

Note You need to log in before you can comment on or make changes to this bug.