[Python-modules-team] Bug#946011: python-django: CVE-2019-19118
Chris Lamb
lamby at debian.org
Mon Dec 2 20:20:51 GMT 2019
Package: python-django
Version: 1.7.11-1+deb8u7
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-django.
CVE-2019-19118[0]:
| Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
| editing. A Django model admin displaying inline related models, where
| the user has view-only permissions to a parent model but edit
| permissions to the inline model, would be presented with an editing
| UI, allowing POST requests, for updating the inline model. Directly
| editing the view-only parent model was not possible, but the parent
| model's save() method was called, triggering potential side effects,
| and causing pre and post-save signal handlers to be invoked. (To
| resolve this, the Django admin is adjusted to require edit permissions
| on the parent model in order for inline models to be editable.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19118
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
More information about the Python-modules-team
mailing list