CVE-2016-2048 — Improper Access Control in Django

CWE-284 — Improper Access Control CWE-122 — Heap-based Buffer Overflow14 documents8 sources

Severity

5.5MEDIUMNVD

GHSA7.5

EPSS

0.1%

top 65.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedFeb 8

Latest updateMay 30

Description

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:NExploitability: 1.2 | Impact: 4.2

Affected Packages2 packages

▶PyPIdjangoproject/django1.9 — 1.9.2

▶NVDdjangoproject/django1.9, 1.9.1+1

🔴Vulnerability Details

GHSA

Kyverno vulnerable due to usage of insecure cipher↗2023-05-30

▶

GHSA

Django Access Restrictions Bypass↗2022-05-17

▶

OSV

Django Access Restrictions Bypass↗2022-05-17

▶

OSV

libssh vulnerabilities↗2016-02-23

▶

CVEList

CVE-2016-2048: Django 1↗2016-02-08

▶

💥Exploits & PoCs

Exploit-DB

Apple OS X/iOS Kernel - IOSurface Use-After-Free↗2016-10-31

▶

Exploit-DB

glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)↗2016-02-16

▶

📋Vendor Advisories

Red Hat

libtiff: Heap-based buffer overflow in tif_next.c↗2016-12-03

▶

Red Hat

python-django: user with "change" but not "add" permission can create objects for ModelAdmin↗2016-02-01

▶

Debian

CVE-2016-2048: python-django - Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote...↗2016

▶

💬Community

Bugzilla

CVE-2016-2048 python-django: user with "change" but not "add" permission can create objects for ModelAdmin↗2016-01-28

▶