CVE-2019-19844
First published: Wed Dec 18 2019(Updated: )
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/django | >=3.0.0<3.0.1 | 3.0.1 |
| pip/django | >=2.0.0<2.2.9 | 2.2.9 |
| pip/django | <1.11.27 | 1.11.27 |
| debian/python-django | <=1:1.11.23-1~deb10u1<=1:1.10.7-2+deb9u6 | 2:2.2.9-1 2:3.0.1-1 1:1.11.27-1~deb10u1 1:1.10.7-2+deb9u7 |
| debian/2:2.2.8-1 | ||
| Djangoproject Django | <1.11.27 | |
| Djangoproject Django | >=2.2<2.2.9 | |
| Djangoproject Django | =3.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| debian/python-django | 1:1.11.29-1~deb10u1 1:1.11.29-1+deb10u11 2:2.2.28-1~deb11u2 3:3.2.19-1+deb12u1 3:4.2.11-1 | |
| ubuntu/python-django | <1:1.11.11-1ubuntu1.6 | 1:1.11.11-1ubuntu1.6 |
| ubuntu/python-django | <1:1.11.20-1ubuntu0.3 | 1:1.11.20-1ubuntu0.3 |
| ubuntu/python-django | <1:1.11.22-1ubuntu1.1 | 1:1.11.22-1ubuntu1.1 |
| ubuntu/python-django | <2:2.2.9-2ubuntu1 | 2:2.2.9-2ubuntu1 |
| ubuntu/python-django | <2:2.2.9-2ubuntu1 | 2:2.2.9-2ubuntu1 |
| ubuntu/python-django | <2:2.2.9-2ubuntu1 | 2:2.2.9-2ubuntu1 |
| ubuntu/python-django | <2:2.2.9-2ubuntu1 | 2:2.2.9-2ubuntu1 |
| ubuntu/python-django | <2:2.2.9-2ubuntu1 | 2:2.2.9-2ubuntu1 |
| ubuntu/python-django | <1.6.11-0ubuntu1.3+ | 1.6.11-0ubuntu1.3+ |
| ubuntu/python-django | <1.11.27<2.2.9 | 1.11.27 2.2.9 |
| ubuntu/python-django | <1.8.7-1ubuntu5.11 | 1.8.7-1ubuntu5.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-19844
- https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70
- https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2
- https://groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
- https://seclists.org/bugtraq/2020/Jan/9
- https://security.netapp.com/advisory/ntap-20200110-0003/
- https://usn.ubuntu.com/4224-1/
- https://www.debian.org/security/2020/dsa-4598
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
- http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
- https://security.gentoo.org/glsa/202004-17
- https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26
- https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e
- https://github.com/advisories/GHSA-vfq6-hq5r-27r6 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2019-19844
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
- https://salsa.debian.org/python-team/modules/python-django/commit/5019e30eec71c58332ae03aab750b078737878c1
- https://bugs.debian.org/946937
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946937
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
- https://launchpad.net/bugs/cve/CVE-2019-19844
- https://ubuntu.com/security/notices/USN-4224-1
- https://ubuntu.com/security/notices/USN-6722-1
- https://www.cve.org/CVERecord?id=CVE-2019-19844
- https://ubuntu.com/security/CVE-2019-19844
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-19844.
What is the severity of CVE-2019-19844?
The severity of CVE-2019-19844 is critical with a CVSS score of 9.8.
What is the affected software for CVE-2019-19844?
The affected software for CVE-2019-19844 is Django versions before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1.
How does CVE-2019-19844 allow an account takeover?
CVE-2019-19844 allows an account takeover by using a suitably crafted email address that matches an existing user's email address after case transformation of Unicode characters, allowing the attacker to receive a password reset token for the matched user.
Is there a fix available for CVE-2019-19844?
Yes, the fix for CVE-2019-19844 is to upgrade Django to version 1.11.27, 2.2.9, or 3.0.1, depending on the version you are using.
- collector/github-advisory-latest
- alias/GHSA-vfq6-hq5r-27r6
- alias/CVE-2019-19844
- collector/github-advisory
- collector/debian-bugs
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/description
- agent/remedy
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- collector/launchpad-cve
- source/Launchpad
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- package-manager/pip
- package-manager/debian
- vendor/djangoproject
- canonical/djangoproject django
- version/djangoproject django/2.2
- version/djangoproject django/3.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- package-manager/ubuntu