Bug 1663722 (CVE-2019-3498) - CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Summary: CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Status: NEW
Alias: CVE-2019-3498
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190107,repor...
Keywords: Security
Depends On: 1663725 1663801 1663802 1663803 1670115 1670137 1663723 1663724
Blocks: 1663727
TreeView+ depends on / blocked
 
Reported: 2019-01-07 02:15 UTC by Sam Fowler
Modified: 2019-01-28 16:50 UTC (History)
7 users (show)

Fixed In Version: python-django 1.11.18, python-django 2.0.10, python-django 2.1.5
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Sam Fowler 2019-01-07 02:15:41 UTC
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.


External Reference:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/


Upstream Patches:

https://github.com/django/django/commit/1ecc0a395
https://github.com/django/django/commit/1cd00fcf5
https://github.com/django/django/commit/9f4ed7c94
https://github.com/django/django/commit/64d2396e8

Comment 1 Sam Fowler 2019-01-07 02:15:58 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-29 [bug 1663725]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1663724]
Affects: fedora-all [bug 1663723]

Comment 3 Riccardo Schirone 2019-01-28 15:38:50 UTC
Statement:

This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.


Note You need to log in before you can comment on or make changes to this bug.