CVE-2019-19844
published 2019-12-18CVE-2019-19844: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.81%
98.2th percentile
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 2:2.2.9-1 (bookworm) | python-django 2:2.2.9-1 (bookworm) |
| djangoproject | django | < 1.11.27 | 1.11.27 |
| djangoproject | django | — | — |
| djangoproject | django | >= 0 < 1.11.27 | 1.11.27 |
| djangoproject | django | >= 2.0 < 2.2.9 | 2.2.9 |
| djangoproject | django | >= 2.2 < 2.2.9 | 2.2.9 |
| djangoproject | django | >= 3.0 < 3.0.1 | 3.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor password reset requests where the submitted email address contains Unicode characters that case-fold to match an existing user's registered ASCII email address (e.g., dotless 'ı' U+0131 folding to 'i'). Such requests indicate exploitation of the Unicode case-insensitive query vulnerability. ↗
- →Alert on password reset form submissions where the email field contains non-ASCII Unicode characters (codepoints > 0x7F), particularly in the local-part or domain of the address, as this is the attacker-controlled input vector. ↗
- →Inspect Django password reset flows for cases where the email address delivered to the reset token recipient differs from the email address submitted in the reset form — this indicates the Unicode normalization bypass is occurring and a token is being sent to the legitimate account owner. ↗
- ·This vulnerability only affects deployments that have Django's built-in password reset functionality enabled. Applications that disable or do not use the password reset form are not exploitable via this vector. ↗
- ·Affected Django versions are < 1.11.27, 2.x < 2.2.9, and 3.x < 3.0.1. Deployments on these versions with password reset enabled should be treated as actively exploitable. ↗
- ·Unless the password-reset form is disabled, patching to a fixed version is the only reliable remediation. No configuration-only workaround exists. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django Potential account hijack via password reset form
osv·2020-01-16
CVE-2019-19844 [CRITICAL] Django Potential account hijack via password reset form
Django Potential account hijack via password reset form
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
GHSA
Django Potential account hijack via password reset form
ghsa·2020-01-16
CVE-2019-19844 [CRITICAL] CWE-640 Django Potential account hijack via password reset form
Django Potential account hijack via password reset form
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
OSV
CVE-2019-19844: Django before 1
osv·2019-12-18·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844: Django before 1
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Ubuntu
Django vulnerability
vendor_ubuntu·2024-04-08
CVE-2019-19844 Django vulnerability
Title: Django vulnerability
Summary: Django accounts could be hijacked through password reset requests.
Simon Charette discovered that the password reset functionality in
Django used a Unicode case insensitive query to retrieve accounts
associated with an email address. An attacker could possibly use this
to obtain password reset tokens and hijack accounts.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Django: crafted email address allows account takeover
vendor_redhat·2019-12-18·CVSS 9.8
CVE-2019-19844 [CRITICAL] CWE-290 Django: crafted email address allows account takeover
Django: crafted email address allows account takeover
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
A flaw was found in Django where it did not sanitize the email input from the password recovery form. An attacker with the knowledge of the victim user’s email address could use this flaw to reset the victim user’s password and retrieve the reset link to gain access and take over their account.
Statement: This flaw depen
Debian
CVE-2019-19844: python-django - Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account tak...
vendor_debian·2019·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844: python-django - Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account tak...
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Scope: local
bookworm: resolved (fixed in 2:2.2.9-1)
bullseye: resolved (fixed in 2:2.2.9-1)
forky: resolved (fixed in 2:2.2.9-1)
sid: resolved (fixed in 2:2.2.9-1)
trixie: resolved (fixed in 2:2.2.9-1)
No detection rules found.
Bugzilla
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [openstack-rdo]
bugzilla·2020-01-08·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 python-django: Django: crafted email address allows account takeover [openstack-rdo]
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
This security
Bugzilla
CVE-2019-19844 python-django16: Django: crafted email address allows account takeover [epel-7]
bugzilla·2020-01-07·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 python-django16: Django: crafted email address allows account takeover [epel-7]
CVE-2019-19844 python-django16: Django: crafted email address allows account takeover [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-8]
bugzilla·2020-01-07·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-8]
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-8]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-8.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template t
Bugzilla
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-7]
bugzilla·2020-01-07·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-7]
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template t
Bugzilla
CVE-2019-19844 Django: crafted email address allows account takeover
bugzilla·2020-01-07·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 Django: crafted email address allows account takeover
CVE-2019-19844 Django: crafted email address allows account takeover
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
External References:
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
References:
https://seclists.org/oss-sec/2019/q4/163
Discussion:
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1788427]
Affects: epel-8 [bug 1788429]
Affects: fedora-all [bug 1788426]
Bugzilla
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [fedora-all]
bugzilla·2020-01-07·CVSS 9.8
CVE-2019-19844 [CRITICAL] CVE-2019-19844 python-django: Django: crafted email address allows account takeover [fedora-all]
CVE-2019-19844 python-django: Django: crafted email address allows account takeover [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://packetstormsecurity.com/files/155872/Django-Account-Hijack.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/https://seclists.org/bugtraq/2020/Jan/9https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200110-0003/https://usn.ubuntu.com/4224-1/https://www.debian.org/security/2020/dsa-4598https://www.djangoproject.com/weblog/2019/dec/18/security-releases/http://packetstormsecurity.com/files/155872/Django-Account-Hijack.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/https://seclists.org/bugtraq/2020/Jan/9https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200110-0003/https://usn.ubuntu.com/4224-1/https://www.debian.org/security/2020/dsa-4598https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
2019-12-18
Published