cbcvebase.
CVE-2019-19844
published 2019-12-18

CVE-2019-19844: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's…

PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.81%
98.2th percentile
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianpython-django< python-django 2:2.2.9-1 (bookworm)python-django 2:2.2.9-1 (bookworm)
djangoprojectdjango< 1.11.271.11.27
djangoprojectdjango
djangoprojectdjango>= 0 < 1.11.271.11.27
djangoprojectdjango>= 2.0 < 2.2.92.2.9
djangoprojectdjango>= 2.2 < 2.2.92.2.9
djangoprojectdjango>= 3.0 < 3.0.13.0.1

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://127.0.0.1:8000/accounts/password-reset/
  • Monitor password reset requests where the submitted email address contains Unicode characters that case-fold to match an existing user's registered ASCII email address (e.g., dotless 'ı' U+0131 folding to 'i'). Such requests indicate exploitation of the Unicode case-insensitive query vulnerability.
  • Alert on password reset form submissions where the email field contains non-ASCII Unicode characters (codepoints > 0x7F), particularly in the local-part or domain of the address, as this is the attacker-controlled input vector.
  • Inspect Django password reset flows for cases where the email address delivered to the reset token recipient differs from the email address submitted in the reset form — this indicates the Unicode normalization bypass is occurring and a token is being sent to the legitimate account owner.
  • ·This vulnerability only affects deployments that have Django's built-in password reset functionality enabled. Applications that disable or do not use the password reset form are not exploitable via this vector.
  • ·Affected Django versions are < 1.11.27, 2.x < 2.2.9, and 3.x < 3.0.1. Deployments on these versions with password reset enabled should be treated as actively exploitable.
  • ·Unless the password-reset form is disabled, patching to a fixed version is the only reliable remediation. No configuration-only workaround exists.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.