Allele Security Alert
ASA-2019-00002
Identifier(s)
ASA-2019-00002, CVE-2019-3498
Title
Content spoofing possibility in the default 404 page
Vendor(s)
Django Software Foundation
Product(s)
Django
Affected version(s)
Django 2.1
Django 2.0
Django 1.11
Fixed version(s)
Django 1.11.18
Django 2.0.10
Django 2.1.5
Proof of concept
Unknown
Description
An attacker could craft a malicious URL that could make spoofed content appear on the default page generated by the django.views.defaults.page_not_found() view.
Technical details
Unknown
Credits
Jerbi Nessim and Tom Hacohen (tasn)
Reference(s)
Django security releases issued: 2.1.5, 2.0.10, and 1.11.18
https://seclists.org/oss-sec/2019/q1/23
Django security releases issued: 2.1.5, 2.0.10, and 1.11.18
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
Fixed #30070 — Fixed content spoofing possiblity in the default 404 page. #10809
https://github.com/django/django/pull/10809
Content spoofing possiblity in default 404 page
https://code.djangoproject.com/ticket/30070
Fixed #30070, CVE-2019-3498 — Fixed content spoofing possiblity in the default 404 page.
https://github.com/django/django/commit/1ecc0a395be721e987e8e9fdfadde952b6dee1c7
CVE-2019-3498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498
CVE-2019-3498
https://nvd.nist.gov/vuln/detail/CVE-2019-3498
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: January 4, 2019