CVE-2019-3498

Aliases:GHSA-337x-4q8g-prc5PYSEC-2019-17
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 09 Jan 2019, 22:00
Last modified:04 Aug 2024, 19:12

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
v3.0 (nvd)
EPSS Score
0.52% LOW
1% probability -0.92%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Jan 2019, 22:00
Published
Vulnerability first disclosed
04 Aug 2024, 19:12
Last Modified
Vulnerability information updated

Description

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

CVSS Metrics

  • v4.0HIGHScore: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
  • v3.0MEDIUMScore: 6.5CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.52% Percentile: 67%

Techniques & Countermeasures

  • CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

    The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Systems

  • canonicalubuntu_linux

    14.04 | 16.04 | 18.04 | 18.10

  • debiandebian_linux

    8.0 | 9.0

  • djangoprojectdjango

    ≥ 1.11, < 1.11.18 | ≥ 2.0, < 2.0.10 | ≥ 2.1, < 2.1.5

  • fedoraprojectfedora

    28

  • PyPIdjango

    ≥ 1.11a1, < 1.11.18 | ≥ 2.0a1, < 2.0.10 | ≥ 2.1a1, < 2.1.5 | ≥ 2.1, < 2.1.5

References (19)