Vulnerability Details : CVE-2019-19844
Potential exploit
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Products affected by CVE-2019-19844
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:3.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-19844
15.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-19844
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-19844
-
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-19844
-
https://security.gentoo.org/glsa/202004-17
Django: Multiple vulnerabilities (GLSA 202004-17) — Gentoo security
-
https://usn.ubuntu.com/4224-1/
USN-4224-1: Django vulnerability | Ubuntu security noticesThird Party Advisory
-
http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
Django Account Hijack ≈ Packet Storm
-
https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
Google GroepenThird Party Advisory
-
https://docs.djangoproject.com/en/dev/releases/security/
Archive of security issues | Django documentation | DjangoVendor Advisory
-
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
Django security releases issued: 3.0.1, 2.2.9, and 1.11.27 | Weblog | DjangoVendor Advisory
-
https://seclists.org/bugtraq/2020/Jan/9
Bugtraq: [SECURITY] [DSA 4598-1] python-django security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
[SECURITY] Fedora 31 Update: python-django-2.2.9-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://www.debian.org/security/2020/dsa-4598
Debian -- Security Information -- DSA-4598-1 python-django
-
https://security.netapp.com/advisory/ntap-20200110-0003/
CVE-2019-19844 Django Vulnerability in NetApp Products | NetApp Product Security
Jump to