Bug 1843625 (CVE-2020-13596) - CVE-2020-13596 django: possible XSS via admin ForeignKeyRawIdWidget
Summary: CVE-2020-13596 django: possible XSS via admin ForeignKeyRawIdWidget
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-13596
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1843629 1843630 1843626 1843627 1843631 1844992 1845335 1845336 1845337 1845525 1845582 1846525 1851982
Blocks: 1843628
TreeView+ depends on / blocked
 
Reported: 2020-06-03 16:48 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
30 users (show)

Fixed In Version: Django-3.0.7, Django-2.2.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django, where the query parameters for the admin widget `ForeignKeyRawIdWidget` were not properly URL encoded. This flaw allows an attacker to perform a Cross-site scripting (XSS) attack. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-10-28 18:12:14 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-06-03 16:48:19 UTC 
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ensures query parameters are correctly URL encoded.

Reference:
https://www.djangoproject.com/weblog/2020/jun/03/security-releases/
Comment 1 Guilherme de Almeida Suckevicz 2020-06-03 16:48:59 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1843630]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1843626]
Affects: fedora-all [bug 1843627]
Affects: openstack-rdo [bug 1843631]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1843629]
Comment 3 Yadnyawalk Tale 2020-06-08 06:20:35 UTC 
External References:

https://www.djangoproject.com/weblog/2020/jun/03/security-releases
Comment 4 Yadnyawalk Tale 2020-06-08 06:23:54 UTC 
Patches have been applied to Django's master branch and the 3.1, 3.0, and 2.2 release branches. 

Master branch: https://github.com/django/django/commit/2dd4d110c159d0c81dff42eaead2c378a0998735
3.1 release branch: https://github.com/django/django/commit/49d7cc19e33a104bb23f7ae1dbb1240b4f6c40f9
3.0 release branch: https://github.com/django/django/commit/1f2dd37f6fcefdd10ed44cb233b2e62b520afb38
2.2 release branch: https://github.com/django/django/commit/6d61860b22875f358fac83d903dc629897934815
Comment 10 Riccardo Schirone 2020-06-09 13:00:57 UTC 
Created python2-django1.11 tracking bugs for this issue:

Affects: fedora-all [bug 1845525]
Comment 19 Hardik Vyas 2020-06-29 14:44:05 UTC 
Statement:

The following products ship the flawed code, however they do not make use of ForeignKeyRawIdWidget and are therefore not vulnerable to this flaw:
* Red Hat Satellite 6
* Red Hat Update Infrastructure 3
* Red Hat OpenStack Platform 13, 15, & 16
* Red Hat Gluster Storage 3

The version of python-django shipped with Red Hat Ceph Storage(RHCS) was used with calamari and graphite which are no more supported, hence the django package will not be fixed for RHCS.
Note You need to log in before you can comment on or make changes to this bug.