CVE-2019-19844 - OpenCVE

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Djangoproject	Django

Configuration 1 [-]

OR	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django::::::::
	cpe:2.3:a:djangoproject:django:3.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*

References

Link	Resource
http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
https://docs.djangoproject.com/en/dev/releases/security/	Vendor Advisory
https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
https://seclists.org/bugtraq/2020/Jan/9
https://security.gentoo.org/glsa/202004-17
https://security.netapp.com/advisory/ntap-20200110-0003/
https://usn.ubuntu.com/4224-1/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4598
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-18T18:07:11

Updated: 2020-05-01T01:06:13

Reserved: 2019-12-17T00:00:00

Link: CVE-2019-19844

JSON object: View

NVD Information

Status : Modified

Published: 2019-12-18T19:15:11.780

Modified: 2023-11-07T03:07:49.577

Link: CVE-2019-19844

JSON object: View

Redhat Information

No data.

CWE

CWE-640

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-01T01:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}, {"name": "USN-4224-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4224-1/"}, {"name": "DSA-4598", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4598"}, {"name": "20200108 [SECURITY] [DSA 4598-1] python-django security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"name": "FEDORA-2020-adb4f0143a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"name": "GLSA-202004-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202004-17"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19844", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://docs.djangoproject.com/en/dev/releases/security/", "refsource": "MISC", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"name": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0", "refsource": "MISC", "url": "https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0"}, {"name": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}, {"name": "USN-4224-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4224-1/"}, {"name": "DSA-4598", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4598"}, {"name": "20200108 [SECURITY] [DSA 4598-1] python-django security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"name": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"name": "https://security.netapp.com/advisory/ntap-20200110-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"name": "FEDORA-2020-adb4f0143a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"name": "GLSA-202004-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202004-17"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19844", "datePublished": "2019-12-18T18:07:11", "dateReserved": "2019-12-17T00:00:00", "dateUpdated": "2020-05-01T01:06:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "B19BDC93-017C-444E-BE89-E5951564C6F1", "versionEndExcluding": "1.11.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "72FE3431-6956-4197-B0B7-9263888FF1FC", "versionEndExcluding": "2.2.9", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "C23D9FE4-31F5-4A23-916E-8EC763886DC9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)"}, {"lang": "es", "value": "Django versiones anteriores a 1.11.27, versiones 2.x anteriores a 2.2.9 y versiones 3.x anteriores a 3.0.1, permite tomar el control de la cuenta. Una direcci\u00f3n de correo electr\u00f3nico dise\u00f1ada adecuadamente (que es igual a la direcci\u00f3n de correo electr\u00f3nico de un usuario existente despu\u00e9s de la transformaci\u00f3n de may\u00fasculas y min\u00fasculas de los caracteres Unicode) permitir\u00eda a un atacante enviarle un token de restablecimiento de contrase\u00f1a para la cuenta de usuario coincidente. (Una mitigaci\u00f3n en las nuevas versiones es enviar tokens de restablecimiento de contrase\u00f1a solo a la direcci\u00f3n de correo electr\u00f3nico del usuario registrado)."}], "id": "CVE-2019-19844", "lastModified": "2023-11-07T03:07:49.577", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-18T19:15:11.780", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2020/Jan/9"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202004-17"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20200110-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4224-1/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2020/dsa-4598"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}