CVE-2019-3498
published 2019-01-09CVE-2019-3498: In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream…
PriorityP432medium6.5CVSS 3.0
AVNACLPRNUIRSUCNIHAN
EPSS
3.69%
88.3th percentile
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 1:1.11.18-1 (bookworm) | python-django 1:1.11.18-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.18 | 1.11.18 |
| djangoproject | django | >= 1.11a1 < 1.11.18 | 1.11.18 |
| djangoproject | django | >= 2.0 < 2.0.10 | 2.0.10 |
| djangoproject | django | >= 2.0a1 < 2.0.10 | 2.0.10 |
| djangoproject | django | >= 2.1 < 2.1.5 | 2.1.5 |
| djangoproject | django | >= 2.1a1 < 2.1.5 | 2.1.5 |
| fedoraproject | fedora | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Input Validation in Django
ghsa·2019-01-14
CVE-2019-3498 [HIGH] CWE-20 Improper Input Validation in Django
Improper Input Validation in Django
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in `django.views.defaults.page_not_found()`, leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
OSV
Improper Input Validation in Django
osv·2019-01-14
CVE-2019-3498 [HIGH] Improper Input Validation in Django
Improper Input Validation in Django
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in `django.views.defaults.page_not_found()`, leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
OSV
CVE-2019-3498: In Django 1
osv·2019-01-09·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498: In Django 1
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Ubuntu
Django vulnerability
vendor_ubuntu·2019-01-09
CVE-2019-3498 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to expose spoofed information over the network.
It was discovered that Django incorrectly handled the default 404 page. A
remote attacker could use this issue to spoof content using a malicious
URL.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-django: Content spoofing via URL path in default 404 page
vendor_redhat·2019-01-07·CVSS 6.5
CVE-2019-3498 [MEDIUM] CWE-99 python-django: Content spoofing via URL path in default 404 page
python-django: Content spoofing via URL path in default 404 page
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Statement: This issue affects the versions of python-django as shipped with Red Hat Update Infrastructure 3. Even though the Red Hat Update Appliance ships python-django, the application is not accessible by default because of the firewall rules, thus this flaw cannot be used. However, it can be triggered on the Content Delivery Systems.
Red Hat Satellite is not affected, since python-dj
Debian
CVE-2019-3498: python-django - In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an...
vendor_debian·2019·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498: python-django - In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an...
In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.
Scope: local
bookworm: resolved (fixed in 1:1.11.18-1)
bullseye: resolved (fixed in 1:1.11.18-1)
forky: resolved (fixed in 1:1.11.18-1)
sid: resolved (fixed in 1:1.11.18-1)
trixie: resolved (fixed in 1:1.11.18-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
bugzilla·2019-01-07·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page
Django before versions 1.11.18, 2.0.10 and 2.1.5 is vulnerable to content spoofing via crafted URL in the default 404 page. An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
External Reference:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
Upstream Patches:
https://github.com/django/django/commit/1ecc0a395
https://github.com/django/django/commit/1cd00fcf5
https://github.com/django/django/commit/9f4ed7c94
https://github.com/django/django/commit/64d2396e8
Discussion:
Created django:1.6/python-django tracking bugs for this issue:
Affects: fedora-29 [bug 1663725]
Created py
Bugzilla
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [epel-7]
bugzilla·2019-01-07·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [epel-7]
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [fedora-all]
bugzilla·2019-01-07·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [fedora-all]
CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2019-3498 django:1.6/python-django: Content spoofing via URL path in default 404 page [fedora-all]
bugzilla·2019-01-07·CVSS 6.5
CVE-2019-3498 [MEDIUM] CVE-2019-3498 django:1.6/python-django: Content spoofing via URL path in default 404 page [fedora-all]
CVE-2019-3498 django:1.6/python-django: Content spoofing via URL path in default 404 page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the followi
http://www.securityfocus.com/bid/106453https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQhttps://lists.debian.org/debian-lts-announce/2019/01/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/https://usn.ubuntu.com/3851-1/https://www.debian.org/security/2019/dsa-4363https://www.djangoproject.com/weblog/2019/jan/04/security-releases/http://www.securityfocus.com/bid/106453https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/VYU7xQQTEPQhttps://lists.debian.org/debian-lts-announce/2019/01/msg00005.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/https://usn.ubuntu.com/3851-1/https://www.debian.org/security/2019/dsa-4363https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
2019-01-09
Published