oss-sec mailing list archives
Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
From: Carlton Gibson <carlton.gibson () gmail com>
Date: Mon, 3 Jun 2019 13:21:10 +0200
In accordance with `our security release policy <https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team is issuing `Django 1.11.21 <https://docs.djangoproject.com/en/dev/releases/1.11.21/>`_, `Django 2.1.9 <https://docs.djangoproject.com/en/dev/releases/2.1.9/>`_, and `Django 2.2.2 <https://docs.djangoproject.com/en/dev/releases/2.2.2/>`_. These releases addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible. CVE-2019-12308: AdminURLFieldWidget XSS ======================================= The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link. ``AdminURLFieldWidget`` now validates the provided value using ``URLValidator`` before displaying the clickable link. You may customise the validator by passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g. when using ``ModelAdmin.formfield_overrides``. Affected versions ----------------- * Django master development branch * Django 2.2 before version 2.2.2 * Django 2.1 before version 2.1.9 * Django 1.11 before version 1.11.21 Patched bundled jQuery for CVE-2019-11358: Prototype pollution ============================================================== jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of ``Object.prototype`` pollution. If an unsanitized source object contained an enumerable ``__proto__`` property, it could extend the native ``Object.prototype``. The bundled version of jQuery used by the Django admin has been patched to allow for the ``select2`` library's use of ``jQuery.extend()``. Affected versions ----------------- * Django master development branch * Django 2.2 before version 2.2.2 * Django 2.1 before version 2.1.9 Resolution ========== Patches to resolve these issues have been applied to Django's master branch and the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the following changesets: On the master branch: * `Admin XSS <https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008>`__ * `jQuery prototype pollution <https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f>`__ On the 2.2 release branch: * `Admin XSS <https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673>`__ * `jQuery prototype pollution <https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad>`__ On the 2.1 release branch: * `Admin XSS <https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62>`__ * `jQuery prototype pollution <https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829>`__ On the 1.11 release branch: * `Admin XSS <https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b>`__ The following releases have been issued: * Django 1.11.21 (`download Django 1.11.21 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.21.tar.gz>`_ | `1.11.21 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.21.checksum.txt>`_) * Django 2.1.9 (`download Django 2.1.9 <https://www.djangoproject.com/m/releases/2.1/Django-2.1.9.tar.gz>`_ | `2.1.9 checksums <https://www.djangoproject.com/m/pgp/Django-2.1.9.checksum.txt>`_) * Django 2.2.2 (`download Django 2.2.2 <https://www.djangoproject.com/m/releases/2.1/Django-2.2.2.tar.gz>`_ | `2.2.2 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.2.checksum.txt>`_) The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00. General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance or the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358) Carlton Gibson (Jun 03)