CVE-2019-3498

NameCVE-2019-3498
DescriptionIn Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1629-1, DSA-4363-1
NVD severitymedium (attack range: remote)
Debian Bugs918230

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)jessie1.7.11-1+deb8u3vulnerable
jessie (security)1.7.11-1+deb8u7fixed
stretch1:1.10.7-2+deb9u4fixed
stretch (security)1:1.10.7-2+deb9u6fixed
buster1:1.11.21-1fixed
bullseye, buster (security)1:1.11.23-1~deb10u1fixed
sid2:2.2.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosource(unstable)1:1.11.18-1medium918230
python-djangosourcejessie1.7.11-1+deb8u4mediumDLA-1629-1
python-djangosourcestretch1:1.10.7-2+deb9u4mediumDSA-4363-1

Notes

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x)
https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (2.1.x)

Search for package or bug name: Reporting problems