CVE-2019-3498

Impact:
Moderate
Public Date:
2019-01-07
CWE:
CWE-99
Bugzilla:
1663722: CVE-2019-3498 python-django: Content spoofing via URL path in default 404 page

The MITRE CVE dictionary describes this issue as:

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

Find out more about CVE-2019-3498 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact Low
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 Django Will not fix
Red Hat Satellite 6 python-django Under investigation
Red Hat OpenStack Platform Operational Tools 9 python-django Under investigation
Red Hat OpenStack Platform 9.0 python-django Under investigation
Red Hat OpenStack Platform 8.0 (Liberty) python-django Under investigation
Red Hat OpenStack Platform 14 python-django Under investigation
Red Hat OpenStack Platform 13.0 (Queens) python-django Under investigation
Red Hat OpenStack Platform 10 python-django Under investigation
Red Hat Gluster Storage 3 python-django Affected
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 python-django Under investigation
Red Hat Ceph Storage 3 python-django Affected
Red Hat Ceph Storage 2 python-django Affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation