Name | CVE-2019-19118 |
Description | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.) |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 946011 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
python-django (PTS) | jessie, jessie (lts) | 1.7.11-1+deb8u17 | fixed |
stretch (security) | 1:1.10.7-2+deb9u17 | fixed | |
stretch (lts), stretch | 1:1.10.7-2+deb9u23 | fixed | |
buster, buster (lts) | 1:1.11.29-1+deb10u12 | fixed | |
buster (security) | 1:1.11.29-1+deb10u11 | fixed | |
bullseye (security), bullseye | 2:2.2.28-1~deb11u2 | fixed | |
bookworm (security), bookworm | 3:3.2.19-1+deb12u1 | fixed | |
trixie | 3:4.2.16-1 | fixed | |
sid | 3:4.2.17-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
python-django | source | jessie | (not affected) | |||
python-django | source | stretch | (not affected) | |||
python-django | source | buster | (not affected) | |||
python-django | source | (unstable) | 2:2.2.8-1 | 946011 |
[buster] - python-django <not-affected> (Vulnerable code introduced later)
[stretch] - python-django <not-affected> (Vulnerable code introduced later)
[jessie] - python-django <not-affected> (Vulnerable code introduced later)
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
Introduced after https://github.com/django/django/commit/825f0beda804e48e9197fcf3b0d909f9f548aa47 (2.1a1)
https://github.com/django/django/commit/11c5e0609bcc0db93809de2a08e0dc3d70b393e4 (master)
https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa (3.0 branch)
https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21 (2.2 branch)
https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244 (2.1 branch)