GSD-2019-19118
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-19118",
"description": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)",
"id": "GSD-2019-19118",
"references": [
"https://www.suse.com/security/cve/CVE-2019-19118.html",
"https://security.archlinux.org/CVE-2019-19118"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-19118"
],
"details": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)",
"id": "GSD-2019-19118",
"modified": "2023-12-13T01:23:54.559385Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19118",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.djangoproject.com/en/dev/releases/security/",
"refsource": "MISC",
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "[oss-security] 20191202 Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/12/02/1"
},
{
"name": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ"
},
{
"name": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/",
"refsource": "CONFIRM",
"url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20191217-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20191217-0003/"
},
{
"name": "FEDORA-2019-adc8990386",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/"
},
{
"name": "GLSA-202004-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202004-17"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.1,\u003c2.1.15||\u003e=2.2,\u003c2.2.8",
"affected_versions": "All versions starting from 2.1 before 2.1.15, all versions starting from 2.2 before 2.2.8",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-276",
"CWE-937"
],
"date": "2019-12-19",
"description": "Django allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s `save()` method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked.",
"fixed_versions": [
"2.1.15",
"2.2.8"
],
"identifier": "CVE-2019-19118",
"identifiers": [
"CVE-2019-19118"
],
"not_impacted": "All versions before 2.1, all versions starting from 2.1.15 before 2.2, all versions starting from 2.2.8",
"package_slug": "pypi/Django",
"pubdate": "2019-12-02",
"solution": "Upgrade to versions 2.1.15, 2.2.8 or above.",
"title": "Incorrect Default Permissions",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-19118",
"https://docs.djangoproject.com/en/dev/releases/security/",
"https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
],
"uuid": "3c7488bb-1030-451a-8dcb-779dc4c5c074"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.15",
"versionStartIncluding": "2.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.8",
"versionStartIncluding": "2.2",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-19118"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model\u0027s save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20191202 Django 2.2.8 and 2.1.15: CVE-2019-19118: Privilege escalation in the Django admin.",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/12/02/1"
},
{
"name": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/django-announce/GjGqDvtNmWQ"
},
{
"name": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/"
},
{
"name": "https://docs.djangoproject.com/en/dev/releases/security/",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://docs.djangoproject.com/en/dev/releases/security/"
},
{
"name": "https://security.netapp.com/advisory/ntap-20191217-0003/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20191217-0003/"
},
{
"name": "FEDORA-2019-adc8990386",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/"
},
{
"name": "GLSA-202004-17",
"refsource": "GENTOO",
"tags": [],
"url": "https://security.gentoo.org/glsa/202004-17"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-05-01T02:15Z",
"publishedDate": "2019-12-02T14:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…