Bug 1663722 (CVE-2019-3498) - CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Summary: CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Status: NEW
Alias: CVE-2019-3498
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20190107,reported=2...
Keywords: Security
Depends On: 1663725 1663801 1663802 1670115 1670137 1694359 1694360 1694361 1694362 1694363 1663723 1663724 1663803
Blocks: 1663727
TreeView+ depends on / blocked
 
Reported: 2019-01-07 02:15 UTC by Sam Fowler
Modified: 2019-05-31 14:25 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-07 02:15:41 UTC
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.


External Reference:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/


Upstream Patches:

https://github.com/django/django/commit/1ecc0a395
https://github.com/django/django/commit/1cd00fcf5
https://github.com/django/django/commit/9f4ed7c94
https://github.com/django/django/commit/64d2396e8

Comment 1 Sam Fowler 2019-01-07 02:15:58 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-29 [bug 1663725]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1663724]
Affects: fedora-all [bug 1663723]

Comment 6 Nick Tait 2019-03-30 18:20:10 UTC
All python-django versions provided by Red Hat OpenStack Platform are affected.

openstack   -> python-django
============================
8           -> 1.8.18-1
8(optools)  -> 1.8.14-1
9           -> 1.8.18-1
9(optools)  -> 1.8.14-1
10          -> 1.8.19-1
13          -> 1.11.11-1
14          -> 1.11.13-2

Comment 10 Richard Maciel Costa 2019-05-29 17:43:49 UTC
Statement:

This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.

Red Hat Satellite is not affected, since python-django is only used on Pulp API, which only returns JSON data.


Note You need to log in before you can comment on or make changes to this bug.