CVE-2019-12781 – Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
https://notcve.org/view.php?id=CVE-2019-12781
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. Se ha descubierto un problema en Django en versiones 1.11 anteriores a la 1.11.22, 2.1, anteriores a la 2.1.10, y 2.2 anteriores 2.2.3. Una petición HTTP no se redirige a HTTPS cuando se usan las configuraciones SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT, y el proxy se conecta a Django a través de HTTPS. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://www.openwall.com/lists/oss-security/2019/07/01/3 http://www.securityfocus.com/bid/109018 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/Is4kLY9ZcZQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5VXXWIOQGXOB7JCGJ3CVUW673LDHKEYL https:/& • CWE-319: Cleartext Transmission of Sensitive Information CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-12308
https://notcve.org/view.php?id=CVE-2019-12308
An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. Se descubrió un problema en Django 1.11 antes de 1.11.21, 2.1 anterior de la versión 2.1.9 y 2.2 anterior de la versión 2.2.2. El valor de la URL actual en la que se puede hacer clic, mostrado por el AdminURLFieldWidget, muestra el valor proporcionado sin validarlo como una URL segura. • http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html http://www.openwall.com/lists/oss-security/2019/06/03/2 http://www.securityfocus.com/bid/108559 https://docs.djangoproject.com/en/dev/releases/1.11.21 https://docs.djangoproject.com/en/dev/releases/2.1.9 https://docs.djangoproject.com/en/dev/releases/2.2.2 https://docs.djangoproject.com/en/dev/releases/security https:/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-6975
https://notcve.org/view.php?id=CVE-2019-6975
Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2.1.6 allows Uncontrolled Memory Consumption via a malicious attacker-supplied value to the django.utils.numberformat.format() function. Django, en versiones 1.11.x anteriores a la 1.11.19, versiones 2.0.x anteriores a la 2.0.11 y versiones 2.1.x anteriores a la 2.1.6, permite el consumo incontrolado de memoria mediante un valor malicioso proporcionado por el atacante a la función django.utils.numberformat.format(). • http://www.securityfocus.com/bid/106964 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/WTwEAprR0IQ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/66WMXHGBXD7GSM3PEXVCMCAGLMQYHZCU https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://seclists.org/bugtraq/2019/Jul/10 https://usn.ubuntu.com/3890-1 https://www.debian.org/se • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2019-3498
https://notcve.org/view.php?id=CVE-2019-3498
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. En Django, en versiones 1.11.x anteriores a la 1.11.18, versiones 2.0.x anteriores a la 2.0.10 y 2.1.x anteriores a la 2.1.5, existe una neutralización incorrecta de elementos especiales en las salidas empleadas por un componente de bajada en django.views.defaults.page_not_found(), lo que conduce a la suplantación de contenido (en una página de error 404) si un usuario fracasa a la hora de reconocer que una URL manipulada tiene contenido malicioso. • http://www.securityfocus.com/bid/106453 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQ https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ https://usn.ubuntu.com/3851-1 https://www.debian.org/security/2019/dsa-4363 https://www.djangoproject.com/weblog/2019/jan/04/security-release • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2018-16984
https://notcve.org/view.php?id=CVE-2018-16984
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes. Se ha descubierto un problema en Django, en versiones 2.1 anteriores a la 2.1.2, por el cual los usuarios no privilegiados pueden leer los hashes de contraseña de cuentas arbitrarias. El widget de contraseña de solo lectura empleada por el administrador de Django para mostrar un hash de contraseña ofuscada se omitía si un usuario tenía solo el permiso "view" (nuevo en Django 2.1), lo que resultaba en que el hash de contraseña completo se mostraba a esos usuarios. • http://www.securitytracker.com/id/1041749 https://security.netapp.com/advisory/ntap-20190502-0009 https://www.djangoproject.com/weblog/2018/oct/01/security-release • CWE-522: Insufficiently Protected Credentials •