ASA-2019-00002 – Django: Content spoofing possibility in the default 404 page


Allele Security Alert

ASA-2019-00002

Identifier(s)

ASA-2019-00002, CVE-2019-3498

Title

Content spoofing possibility in the default 404 page

Vendor(s)

Django Software Foundation

Product(s)

Django

Affected version(s)

Django 2.1
Django 2.0
Django 1.11

Fixed version(s)

Django 1.11.18
Django 2.0.10
Django 2.1.5

Proof of concept

Unknown

Description

An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.

Technical details

Unknown

Credits

Jerbi Nessim and Tom Hacohen (tasn)

Reference(s)

Django security releases issued: 2.1.5, 2.0.10, and 1.11.18
https://seclists.org/oss-sec/2019/q1/23

Django security releases issued: 2.1.5, 2.0.10, and 1.11.18
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/

Fixed #30070 — Fixed content spoofing possiblity in the default 404 page. #10809
https://github.com/django/django/pull/10809

Content spoofing possiblity in default 404 page
https://code.djangoproject.com/ticket/30070

Fixed #30070, CVE-2019-3498 — Fixed content spoofing possiblity in the default 404 page.
https://github.com/django/django/commit/1ecc0a395be721e987e8e9fdfadde952b6dee1c7

CVE-2019-3498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498

CVE-2019-3498
https://nvd.nist.gov/vuln/detail/CVE-2019-3498

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: January 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.