Bug 2048775 (CVE-2022-22818) - CVE-2022-22818 django: Possible XSS via '{% debug %}' template tag
Summary: CVE-2022-22818 django: Possible XSS via '{% debug %}' template tag
Keywords:
Status: NEW
Alias: CVE-2022-22818
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2037754 2048894 2048895 2049326 2049328 2049330 2050718 2050730 2051701 2051702 2051703 2049332 2050729 2050745 2050846 2056085
Blocks: 2048788
TreeView+ depends on / blocked
 
Reported: 2022-01-31 19:24 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-23 04:26 UTC (History)
61 users (show)

Fixed In Version: django 4.0.2, django 3.2.12, django 2.2.27
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django. The ``{% debug %}`` template tag did not properly encode the current context, posing a Cross-site scripting attack vector (XSS).
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
0001-3.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch (6.80 KB, application/mbox)
2022-01-31 19:45 UTC, Guilherme de Almeida Suckevicz
no flags Details
0001-4.0.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch (7.49 KB, application/mbox)
2022-01-31 19:46 UTC, Guilherme de Almeida Suckevicz
no flags Details
0001-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-debug-te.patch (7.48 KB, application/mbox)
2022-01-31 19:47 UTC, Guilherme de Almeida Suckevicz
no flags Details

Description Guilherme de Almeida Suckevicz 2022-01-31 19:24:28 UTC
The ``{% debug %}`` template tag didn't properly encode the current context, posing an XSS attack vector. In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an information when the ``DEBUG`` setting is ``False``, and it ensures all context variables are correctly escaped when the ``DEBUG`` setting is ``True``.

Comment 1 Guilherme de Almeida Suckevicz 2022-01-31 19:44:22 UTC
Created attachment 1858140 [details]
0001-2.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch

Comment 2 Guilherme de Almeida Suckevicz 2022-01-31 19:45:39 UTC
Created attachment 1858141 [details]
0001-3.2.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch

Comment 3 Guilherme de Almeida Suckevicz 2022-01-31 19:46:40 UTC
Created attachment 1858142 [details]
0001-4.0.x-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-de.patch

Comment 4 Guilherme de Almeida Suckevicz 2022-01-31 19:47:56 UTC
Created attachment 1858143 [details]
0001-Fixed-CVE-2022-22818-Fixed-possible-XSS-via-debug-te.patch

Comment 6 Summer Long 2022-02-01 23:07:24 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 2049326]


Created python-django tracking bugs for this issue:

Affects: epel-all [bug 2049328]
Affects: fedora-all [bug 2049332]
Affects: openstack-rdo [bug 2049330]


Note You need to log in before you can comment on or make changes to this bug.