CVE-2019-19844
Aliases:GHSA-vfq6-hq5r-27r6PYSEC-2019-16
Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 18 Dec 2019, 18:07
Last modified:05 Aug 2024, 02:25
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
15.42% MEDIUM
15% probability +1.45%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
18 Dec 2019, 18:07
Published
Vulnerability first disclosed
05 Aug 2024, 02:25
Last Modified
Vulnerability information updated
Description
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
CVSS Metrics
- v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 15.42%• Percentile: 95%
Techniques & Countermeasures
- CWE-640•Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Affected Systems
- canonical•ubuntu_linux
16.04 | 18.04 | 19.04 | 19.10
- djangoproject•django
< 1.11.27 | ≥ 2.2, < 2.2.9 | 3.0
- PyPI•django
< 1.11.27 | ≥ 2.0, < 2.2.9 | ≥ 3.0, < 3.0.1 | ≥ 2.2, < 2.2.9
References (25)
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
- https://usn.ubuntu.com/4224-1/
- https://www.debian.org/security/2020/dsa-4598
- https://seclists.org/bugtraq/2020/Jan/9
- http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
- https://security.netapp.com/advisory/ntap-20200110-0003/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
- https://security.gentoo.org/glsa/202004-17
- https://nvd.nist.gov/vuln/detail/CVE-2019-19844
- https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26
- https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e
- https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70
- https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases
- https://usn.ubuntu.com/4224-1
- https://security.netapp.com/advisory/ntap-20200110-0003
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD
- https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yaml
- https://github.com/django/django
- https://github.com/advisories/GHSA-vfq6-hq5r-27r6
- https://docs.djangoproject.com/en/dev/releases/security
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/