In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-3498 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 4.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | Low |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | Django | Will not fix |
Red Hat Satellite 6 | python-django | Under investigation |
Red Hat OpenStack Platform Operational Tools 9 | python-django | Under investigation |
Red Hat OpenStack Platform 9.0 | python-django | Under investigation |
Red Hat OpenStack Platform 8.0 (Liberty) | python-django | Under investigation |
Red Hat OpenStack Platform 14 | python-django | Under investigation |
Red Hat OpenStack Platform 13.0 (Queens) | python-django | Under investigation |
Red Hat OpenStack Platform 10 | python-django | Under investigation |
Red Hat Gluster Storage 3 | python-django | Affected |
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 | python-django | Under investigation |
Red Hat Ceph Storage 3 | python-django | Affected |
Red Hat Ceph Storage 2 | python-django | Affected |