CVE-2019-19118

NameCVE-2019-19118
DescriptionDjango 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs946011

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie1.7.11-1+deb8u3fixed
jessie (security)1.7.11-1+deb8u7fixed
stretch (security), stretch1:1.10.7-2+deb9u6fixed
buster, buster (security)1:1.11.23-1~deb10u1fixed
bullseye1:1.11.23-1~deb10u1vulnerable
sid2:2.2.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)2:2.2.8-1946011
python-djangosourcebuster(not affected)
python-djangosourcejessie(not affected)
python-djangosourcestretch(not affected)

Notes

[buster] - python-django <not-affected> (Vulnerable code introduced later)
[stretch] - python-django <not-affected> (Vulnerable code introduced later)
[jessie] - python-django <not-affected> (Vulnerable code introduced later)
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/
Introduced after https://github.com/django/django/commit/825f0beda804e48e9197fcf3b0d909f9f548aa47 (2.1a1)
https://github.com/django/django/commit/11c5e0609bcc0db93809de2a08e0dc3d70b393e4 (master)
https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa (3.0 branch)
https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21 (2.2 branch)
https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244 (2.1 branch)

Search for package or bug name: Reporting problems