CVE-2019-19118

NameCVE-2019-19118
DescriptionDjango 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs946011

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie, jessie (lts)1.7.11-1+deb8u17fixed
stretch (security)1:1.10.7-2+deb9u17fixed
stretch (lts), stretch1:1.10.7-2+deb9u23fixed
buster, buster (lts)1:1.11.29-1+deb10u12fixed
buster (security)1:1.11.29-1+deb10u11fixed
bullseye (security), bullseye2:2.2.28-1~deb11u2fixed
bookworm (security), bookworm3:3.2.19-1+deb12u1fixed
sid, trixie3:4.2.16-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcewheezy(unfixed)end-of-life
python-djangosourcejessie(not affected)
python-djangosourcestretch(not affected)
python-djangosourcebuster(not affected)
python-djangosource(unstable)2:2.2.8-1946011

Notes

[buster] - python-django <not-affected> (Vulnerable code introduced later)
[stretch] - python-django <not-affected> (Vulnerable code introduced later)
[jessie] - python-django <not-affected> (Vulnerable code introduced later)
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
Introduced after https://github.com/django/django/commit/825f0beda804e48e9197fcf3b0d909f9f548aa47 (2.1a1)
https://github.com/django/django/commit/11c5e0609bcc0db93809de2a08e0dc3d70b393e4 (master)
https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa (3.0 branch)
https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21 (2.2 branch)
https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244 (2.1 branch)

Search for package or bug name: Reporting problems