|Description||Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|stretch (security), stretch||1:1.10.7-2+deb9u6||fixed|
|buster, buster (security)||1:1.11.23-1~deb10u1||fixed|
The information below is based on the following data on fixed versions.
[buster] - python-django <not-affected> (Vulnerable code introduced later)
[stretch] - python-django <not-affected> (Vulnerable code introduced later)
[jessie] - python-django <not-affected> (Vulnerable code introduced later)
Introduced after https://github.com/django/django/commit/825f0beda804e48e9197fcf3b0d909f9f548aa47 (2.1a1)
https://github.com/django/django/commit/092cd66cf3c3e175acce698d6ca2012068d878fa (3.0 branch)
https://github.com/django/django/commit/36f580a17f0b3cb087deadf3b65eea024f479c21 (2.2 branch)
https://github.com/django/django/commit/103ebe2b5ff1b2614b85a52c239f471904d26244 (2.1 branch)