Bug 1136468 - VUL-0: CVE-2019-12308: python-Django, python-Django1 : The clickable "Current URL" link generated by AdminURLFieldWidget displays the provided value without validating it as a safe URL
VUL-0: CVE-2019-12308: python-Django, python-Django1 : The clickable "Current...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/233848/#p...
CVSSv2:NVD:CVE-2019-12308:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-27 14:57 UTC by Alexandros Toptsoglou
Modified: 2020-05-06 15:17 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 8 Marcus Meissner 2019-06-03 11:24:46 UTC
is public

https://www.djangoproject.com/weblog/2019/jun/03/security-releases/

Django security releases issued: 2.2.2, 2.1.9 and 1.11.21
Posted by Carlton Gibson on Juni 3, 2019

In accordance with our security release policy, the Django team is issuing Django 1.11.21, Django 2.1.9, and Django 2.2.2. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2019-12308: AdminURLFieldWidget XSS

The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.
Affected versions

    Django master development branch
    Django 2.2 before version 2.2.2
    Django 2.1 before version 2.1.9
    Django 1.11 before version 1.11.21
Comment 9 Swamp Workflow Management 2019-06-03 11:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1136468) was mentioned in
https://build.opensuse.org/request/show/707130 Factory / python-Django1
https://build.opensuse.org/request/show/707145 Factory / python-Django
Comment 10 Bryan Stephenson 2019-06-04 20:40:32 UTC
Patches submitted for Cloud 8 and Cloud 9. Cloud 7 is not vulnerable.
Comment 14 Swamp Workflow Management 2019-08-01 12:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1136468) was mentioned in
https://build.opensuse.org/request/show/720192 15.1 / python-Django
Comment 15 Swamp Workflow Management 2019-08-01 19:18:27 UTC
SUSE-SU-2019:2034-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1136468
CVE References: CVE-2019-12308
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.20-3.6.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.20-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2019-08-08 19:11:33 UTC
openSUSE-SU-2019:1839-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
openSUSE Leap 15.1 (src):    python-Django-2.2.4-lp151.2.3.1
Comment 18 Swamp Workflow Management 2019-08-14 13:23:42 UTC
openSUSE-SU-2019:1872-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-11358,CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
openSUSE Backports SLE-15-SP1 (src):    python-Django-2.2.4-bp151.3.3.1
Comment 19 Swamp Workflow Management 2019-09-02 10:32:09 UTC
SUSE-SU-2019:2257-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.23-3.12.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.23-3.12.1
HPE Helion Openstack 8 (src):    python-Django-1.11.23-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2019-09-09 13:14:10 UTC
SUSE-SU-2019:2335-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1136468,1139945,1142880,1142882,1142883,1142885
CVE References: CVE-2019-12308,CVE-2019-12781,CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.23-3.9.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.23-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Alexandros Toptsoglou 2020-05-06 15:17:50 UTC
Done