Bug 1195086 - (CVE-2022-22818) VUL-0: CVE-2022-22818: python-Django,python-Django1: Possible XSS via {% debug %} template tag
(CVE-2022-22818)
VUL-0: CVE-2022-22818: python-Django,python-Django1: Possible XSS via {% debu...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/321634/
CVSSv3.1:SUSE:CVE-2022-22818:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-25 09:22 UTC by Carlos López
Modified: 2022-02-14 12:42 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Attached patch 2.2.x (5.93 KB, patch)
2022-01-25 09:28 UTC, Carlos López
Details | Diff
Attached patch 3.2.x (6.80 KB, patch)
2022-01-25 09:29 UTC, Carlos López
Details | Diff
Attached patch 4.0.x (7.49 KB, patch)
2022-01-25 09:30 UTC, Carlos López
Details | Diff
Attached patch main branch (7.48 KB, patch)
2022-01-25 09:30 UTC, Carlos López
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-01-25 09:22:13 UTC
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

This issue has Medium severity, according to the Django security policy [1].

Affected versions
=================

* Django main development branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Included with this email are patches implementing the changes described above
for each affected version of Django. On the release date, these patches will be
applied to the Django development repository and the following releases will be
issued along with disclosure of the issues:

* Django 4.0.2
* Django 3.2.12
* Django 2.2.27

[1] https://www.djangoproject.com/security/
Comment 3 Carlos López 2022-01-25 09:28:47 UTC
Created attachment 855561 [details]
Attached patch 2.2.x
Comment 4 Carlos López 2022-01-25 09:29:41 UTC
Created attachment 855562 [details]
Attached patch 3.2.x
Comment 5 Carlos López 2022-01-25 09:30:11 UTC
Created attachment 855563 [details]
Attached patch 4.0.x
Comment 6 Carlos López 2022-01-25 09:30:47 UTC
Created attachment 855565 [details]
Attached patch main branch
Comment 7 Alberto Planas Dominguez 2022-01-25 09:31:24 UTC
(In reply to Carlos López from comment #5)
> Created attachment 855563 [details]
> Attached patch 4.0.x

Hi Carlos, is OK for Factory (Django 4.0.X) to wait until the new release?
Comment 8 Carlos López 2022-01-25 10:38:16 UTC
(In reply to Alberto Planas Dominguez from comment #7)
> (In reply to Carlos López from comment #5)
> > Created attachment 855563 [details]
> > Attached patch 4.0.x
> 
> Hi Carlos, is OK for Factory (Django 4.0.X) to wait until the new release?

Hi Alberto, unless you mean waiting for a bigger update, this is expected. The next 4.0.x version (4.0.2) releases the same date as the CRD [0], and commits to OBS codestreams should wait until the embargo is over no matter what.

[0] https://docs.djangoproject.com/en/4.0/releases/4.0.2/
Comment 9 Alberto Planas Dominguez 2022-01-25 10:39:54 UTC
(In reply to Carlos López from comment #8)

> The next 4.0.x version (4.0.2) releases the same date as the CRD [0], and
> commits to OBS codestreams should wait until the embargo is over no matter
> what.

Excellent, I will submit on the same day of release for both CVEs.
Comment 10 Carlos López 2022-01-25 11:03:07 UTC
Affected:
 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1

Affected on openSUSE:
 - openSUSE:Backports:SLE-15-SP3/python-Django
 - openSUSE:Backports:SLE-15-SP4/python-Django
 - openSUSE:Factory/python-Django
 - openSUSE:Backports:SLE-15-SP3/python-Django1
 - openSUSE:Backports:SLE-15-SP4/python-Django1
Comment 11 Fergal Mc Carthy 2022-01-25 16:11:33 UTC
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update / python-Django:
  * https://build.suse.de/request/show/263089

SUSE:SLE-12-SP4:Update:Products:Cloud9:Update / python-Django1
  * https://build.suse.de/request/show/263090
Comment 14 Marcus Meissner 2022-02-01 08:40:45 UTC
via oss-security

https://www.djangoproject.com/weblog/2022/feb/01/security-releases/

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the 
Django team
is issuing
`Django 4.0.2 <https://docs.djangoproject.com/en/dev/releases/4.0.2/>`_,
`Django 3.2.12 
<https://docs.djangoproject.com/en/dev/releases/3.2.12/>`_, and
`Django 2.2.27 <https://docs.djangoproject.com/en/dev/releases/2.2.27/>`_.
These release addresses the security issues detailed below. We encourage all
users of Django to upgrade as soon as possible.

CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================

The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.

In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all 
context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

Thanks Keryn Knight for the report.

This issue has severity "medium" according to the Django security policy.

Affected supported versions
===========================

* Django main branch
* Django 4.0
* Django 3.2
* Django 2.2

Resolution
==========

Patches to resolve the issue have been applied to Django's main branch 
and to
the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the
following changesets.
Comment 15 Swamp Workflow Management 2022-02-01 20:37:00 UTC
SUSE-SU-2022:0285-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1195086,1195088
CVE References: CVE-2022-22818,CVE-2022-23833
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    python-Django1-1.11.29-3.37.1
SUSE OpenStack Cloud 9 (src):    python-Django1-1.11.29-3.37.1, venv-openstack-barbican-7.0.1~dev24-3.30.1, venv-openstack-cinder-13.0.10~dev23-3.33.1, venv-openstack-designate-7.0.2~dev2-3.30.1, venv-openstack-glance-17.0.1~dev30-3.28.1, venv-openstack-heat-11.0.4~dev4-3.30.1, venv-openstack-horizon-14.1.1~dev11-4.34.2, venv-openstack-ironic-11.1.5~dev17-4.28.1, venv-openstack-keystone-14.2.1~dev7-3.31.1, venv-openstack-magnum-7.2.1~dev1-4.30.1, venv-openstack-manila-7.4.2~dev60-3.36.1, venv-openstack-monasca-2.7.1~dev10-3.32.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.30.1, venv-openstack-neutron-13.0.8~dev164-6.34.1, venv-openstack-nova-18.3.1~dev91-3.34.1, venv-openstack-octavia-3.2.3~dev7-4.30.1, venv-openstack-sahara-9.0.2~dev15-3.30.1, venv-openstack-swift-2.19.2~dev48-2.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-02-01 20:39:37 UTC
SUSE-SU-2022:0286-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194116,1195086,1195088
CVE References: CVE-2021-45452,CVE-2022-22818,CVE-2022-23833
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    python-Django-1.11.29-3.39.1
SUSE OpenStack Cloud 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1
HPE Helion Openstack 8 (src):    python-Django-1.11.29-3.39.1, venv-openstack-aodh-5.1.1~dev7-12.37.1, venv-openstack-barbican-5.0.2~dev3-12.38.1, venv-openstack-ceilometer-9.0.8~dev7-12.35.1, venv-openstack-cinder-11.2.3~dev29-14.39.1, venv-openstack-designate-5.0.3~dev7-12.36.1, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.33.1, venv-openstack-glance-15.0.3~dev3-12.36.1, venv-openstack-heat-9.0.8~dev22-12.40.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.43.2, venv-openstack-ironic-9.1.8~dev8-12.38.1, venv-openstack-keystone-12.0.4~dev11-11.40.1, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.37.1, venv-openstack-manila-5.1.1~dev5-12.42.1, venv-openstack-monasca-2.2.2~dev1-11.40.1, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.33.1, venv-openstack-murano-4.0.2~dev2-12.33.1, venv-openstack-neutron-11.0.9~dev69-13.43.1, venv-openstack-nova-16.1.9~dev92-11.41.1, venv-openstack-octavia-1.0.6~dev3-12.38.1, venv-openstack-sahara-7.0.5~dev4-11.37.1, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.28.1, venv-openstack-trove-8.0.2~dev2-11.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Christian Almeida de Oliveira 2022-02-11 15:15:13 UTC
SOC fixes available, back to security team.
Comment 18 Marcus Meissner 2022-02-14 12:42:40 UTC
domne