Project

General

Profile

Bug #9832

py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)

Added by Alicha CH 4 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
-
Start date:
01/09/2019
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Affected versions:
Security IDs:
CVE-2019-3498

Description

Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content appear on the default page generated
by the django.views.defaults.page_not_found() view.

Fixed In Version:

python-django 1.11.18, python-django 2.0.10, python-django 2.1.5

References:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Patch:

https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a


Subtasks

Bug #9833: [3.9] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)ClosedNatanael Copa

Bug #9834: [3.8] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)ClosedNatanael Copa

Bug #9835: [3.7] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)ClosedNatanael Copa

Bug #9836: [3.6] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)ClosedNatanael Copa

History

#1 Updated by Leonardo Arena 4 months ago

  • Status changed from New to Resolved

#2 Updated by Alicha CH 3 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF