CVE-2019-3498

NameCVE-2019-3498
DescriptionIn Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1629-1, DSA-4363-1
Debian Bugs918230

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)buster1:1.11.29-1~deb10u1fixed
buster (security)1:1.11.29-1+deb10u8fixed
bullseye (security), bullseye2:2.2.28-1~deb11u1fixed
bookworm, sid3:3.2.19-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcejessie1.7.11-1+deb8u4DLA-1629-1
python-djangosourcestretch1:1.10.7-2+deb9u4DSA-4363-1
python-djangosource(unstable)1:1.11.18-1918230

Notes

https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
https://github.com/django/django/commit/1cd00fcf52d089ef0fe03beabd05d59df8ea052a (1.11.x)
https://github.com/django/django/commit/64d2396e83aedba3fcc84ca40f23fbd22f0b9b5b (2.1.x)
Search for package or bug name: Reporting problems