Discussion:
Bug#946011: python-django: CVE-2019-19118
Add Reply
Chris Lamb
2019-12-02 20:30:02 UTC
Reply
Permalink
Package: python-django
Version: 1.7.11-1+deb8u7
X-Debbugs-CC: ***@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2019-19118[0]:
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-19118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118


Regards,
--
,''`.
: :' : Chris Lamb
`. `'` ***@debian.org / chris-lamb.co.uk
`-
Chris Lamb
2019-12-02 20:40:02 UTC
Reply
Permalink
Post by Chris Lamb
Package: python-django
Version: 1.7.11-1+deb8u7
[…]
Post by Chris Lamb
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)
Security team, would you like an upload for stable?


Regards,
--
,''`.
: :' : Chris Lamb
`. `'` ***@debian.org 🍥 chris-lamb.co.uk
`-
Salvatore Bonaccorso
2019-12-02 21:00:02 UTC
Reply
Permalink
Hi Chris,
Post by Chris Lamb
Post by Chris Lamb
Package: python-django
Version: 1.7.11-1+deb8u7
[…]
Post by Chris Lamb
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)
Security team, would you like an upload for stable?
As far I can see this issue has been introduced around 2.1 where the
surch support for view permissions and a read-only admin support was
added. Before that the issue does not seem to be present and as such
not affecting buster, nor stretch or older.

I have updated this bug with some metadata with that regard. Can you
confirm this assessment?

Regards,
Salvatore

Loading...