{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-01T01:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}, {"name": "USN-4224-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4224-1/"}, {"name": "DSA-4598", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4598"}, {"name": "20200108 [SECURITY] [DSA 4598-1] python-django security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"name": "FEDORA-2020-adb4f0143a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"name": "GLSA-202004-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202004-17"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19844", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.djangoproject.com/en/dev/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"}, {"name": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}, {"name": "USN-4224-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4224-1/"}, {"name": "DSA-4598", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4598"}, {"name": "20200108 [SECURITY] [DSA 4598-1] python-django security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"name": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"name": "https://security.netapp.com/advisory/ntap-20200110-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"name": "FEDORA-2020-adb4f0143a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"name": "GLSA-202004-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202004-17"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:25:12.834Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}, {"name": "USN-4224-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4224-1/"}, {"name": "DSA-4598", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4598"}, {"name": "20200108 [SECURITY] [DSA 4598-1] python-django security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"name": "FEDORA-2020-adb4f0143a", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"name": "GLSA-202004-17", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202004-17"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19844", "datePublished": "2019-12-18T18:07:11", "dateReserved": "2019-12-17T00:00:00", "dateUpdated": "2024-08-05T02:25:12.834Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "B19BDC93-017C-444E-BE89-E5951564C6F1", "versionEndExcluding": "1.11.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "72FE3431-6956-4197-B0B7-9263888FF1FC", "versionEndExcluding": "2.2.9", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C23D9FE4-31F5-4A23-916E-8EC763886DC9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}, {"lang": "es", "value": "Django versiones anteriores a 1.11.27, versiones 2.x anteriores a 2.2.9 y versiones 3.x anteriores a 3.0.1, permite tomar el control de la cuenta. Una direcci\u00f3n de correo electr\u00f3nico dise\u00f1ada adecuadamente (que es igual a la direcci\u00f3n de correo electr\u00f3nico de un usuario existente despu\u00e9s de la transformaci\u00f3n de may\u00fasculas y min\u00fasculas de los caracteres Unicode) permitir\u00eda a un atacante enviarle un token de restablecimiento de contrase\u00f1a para la cuenta de usuario coincidente. (Una mitigaci\u00f3n en las nuevas versiones es enviar tokens de restablecimiento de contrase\u00f1a solo a la direcci\u00f3n de correo electr\u00f3nico del usuario registrado)."}], "id": "CVE-2019-19844", "lastModified": "2023-11-07T03:07:49.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-18T19:15:11.780", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202004-17"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4224-1/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2020/dsa-4598"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Django: crafted email address allows account takeover", "id": "1788425", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1788425"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-290", "details": ["Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)", "A flaw was found in Django where it did not sanitize the email input from the password recovery form. An attacker with the knowledge of the victim user\u2019s email address could use this flaw to reset the victim user\u2019s password and retrieve the reset link to gain access and take over their account."], "mitigation": {"lang": "en:us", "value": "Unless the password-reset form is disabled, this flaw can only be resolved by applying updates."}, "name": "CVE-2019-19844", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Will not fix", "impact": "low", "package_name": "calamari-server", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:7", "fix_state": "Out of support scope", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Out of support scope", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2019-12-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-19844\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-19844\nhttps://www.djangoproject.com/weblog/2019/dec/18/security-releases/"], "statement": "This flaw depends upon the use of Django's password reset functionality. The following products ship the flawed code but do not use this functionality:\n* Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* Red Hat Gluster Storage 3\n* Red Hat Certified Cloud and Service Provider Certification 1\n* Red Hat OpenStack Platform, all versions. No updates will be provided at this time for the RHOSP django package.\n* Red Hat Satellite 6, all versions\n* Red Hat Update Infrastructure 3", "threat_severity": "Critical", "upstream_fix": "Django 3.0.1, Django 2.2.9, Django 1.11.27"}