Project

General

Profile

Bug #9834

Bug #9832: py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)

[3.8] py-django: Content spoofing via URL path in default 404 page (CVE-2019-3498)

Added by Alicha CH 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
01/09/2019
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:
CVE-2019-3498

Description

Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page.
An attacker could craft a malicious URL that could make spoofed content appear on the default page generated
by the django.views.defaults.page_not_found() view.

Fixed In Version:

python-django 1.11.18, python-django 2.0.10, python-django 2.1.5

References:

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Patch:

https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a

Associated revisions

Revision b3abab0e (diff)
Added by Leonardo Arena 5 months ago

main/py-django: security upgrade to 1.11.18 (CVE-2019-3498)

Fixes #9834

History

#1 Updated by Anonymous 5 months ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#2 Updated by Alicha CH 4 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed

Also available in: Atom PDF