Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python-django: CVE-2019-19118

Related Vulnerabilities: CVE-2019-19118  

Source

Debian Bug report logs - #946011
python-django: CVE-2019-19118

version graph

Package: python-django; Maintainer for python-django is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>; Source for python-django is src:python-django (PTS, buildd, popcon).

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Mon, 2 Dec 2019 20:24:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions 2:2.1-1, 1.7.11-1+deb8u7

Fixed in versions 2:2.2.8-1, 2:3.0-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#946011; Package python-django. (Mon, 02 Dec 2019 20:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 02 Dec 2019 20:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2019-19118
Date: Mon, 02 Dec 2019 21:20:51 +0100
Package: python-django
Version: 1.7.11-1+deb8u7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2019-19118[0]:
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-19118
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#946011; Package python-django. (Mon, 02 Dec 2019 20:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 02 Dec 2019 20:33:04 GMT) (full text, mbox, link).

Message #10 received at 946011@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: 946011@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#946011: python-django: CVE-2019-19118
Date: Mon, 02 Dec 2019 21:30:49 +0100
Chris Lamb wrote:

> Package: python-django
> Version: 1.7.11-1+deb8u7
[…]
> CVE-2019-19118[0]:
> | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> | editing. A Django model admin displaying inline related models, where
> | the user has view-only permissions to a parent model but edit
> | permissions to the inline model, would be presented with an editing
> | UI, allowing POST requests, for updating the inline model. Directly
> | editing the view-only parent model was not possible, but the parent
> | model's save() method was called, triggering potential side effects,
> | and causing pre and post-save signal handlers to be invoked. (To
> | resolve this, the Django admin is adjusted to require edit permissions
> | on the parent model in order for inline models to be editable.)

Security team, would you like an upload for stable?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:33:05 GMT) (full text, mbox, link).

Marked as fixed in versions 2:2.2.8-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:33:06 GMT) (full text, mbox, link).

Marked as fixed in versions 2:3.0-1. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:33:08 GMT) (full text, mbox, link).

No longer marked as fixed in versions 2:3.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:36:05 GMT) (full text, mbox, link).

Marked as fixed in versions 2:3.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:36:07 GMT) (full text, mbox, link).

Marked as found in versions 2:2.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Dec 2019 20:54:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#946011; Package python-django. (Mon, 02 Dec 2019 20:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Mon, 02 Dec 2019 20:57:03 GMT) (full text, mbox, link).

Message #27 received at 946011@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Chris Lamb <lamby@debian.org>, 946011@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#946011: python-django: CVE-2019-19118
Date: Mon, 2 Dec 2019 21:54:41 +0100
Hi Chris,

On Mon, Dec 02, 2019 at 09:30:49PM +0100, Chris Lamb wrote:
> Chris Lamb wrote:
> 
> > Package: python-django
> > Version: 1.7.11-1+deb8u7
> […]
> > CVE-2019-19118[0]:
> > | Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
> > | editing. A Django model admin displaying inline related models, where
> > | the user has view-only permissions to a parent model but edit
> > | permissions to the inline model, would be presented with an editing
> > | UI, allowing POST requests, for updating the inline model. Directly
> > | editing the view-only parent model was not possible, but the parent
> > | model's save() method was called, triggering potential side effects,
> > | and causing pre and post-save signal handlers to be invoked. (To
> > | resolve this, the Django admin is adjusted to require edit permissions
> > | on the parent model in order for inline models to be editable.)
> 
> Security team, would you like an upload for stable?

As far I can see this issue has been introduced around 2.1 where the
surch support for view permissions and a read-only admin support was
added. Before that the issue does not seem to be present and as such
not affecting buster, nor stretch or older.

I have updated this bug with some metadata with that regard. Can you
confirm this assessment?

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#946011; Package python-django. (Tue, 03 Dec 2019 20:30:08 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Tue, 03 Dec 2019 20:30:08 GMT) (full text, mbox, link).

Message #32 received at 946011@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Salvatore Bonaccorso" <carnil@debian.org>, 946011@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#946011: python-django: CVE-2019-19118
Date: Tue, 03 Dec 2019 21:25:42 +0100
Dear Salvatore,

> > Security team, would you like an upload for stable?
> 
> As far I can see this issue has been introduced around 2.1 where the
> search support for view permissions and a read-only admin support was
> added.  […]

Upon further inspection that is my reading too. I was being overly-
cautious in assuming that it was vulnerable without doing any checking
first, thus leading to this noise (for which I apologise).

I have updated data/dla-needed.txt and data/CVE/list to match.


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Dec 3 20:51:05 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started