OpenSUSE Linux update for python-Django

Published: 2019-08-14
Severity High
Patch available YES
Number of vulnerabilities 7
CVE ID CVE-2019-11358
CVE-2019-12308
CVE-2019-12781
CVE-2019-14232
CVE-2019-14233
CVE-2019-14234
CVE-2019-14235
CWE ID CWE-400
CWE-79
CWE-319
CWE-399
CWE-89
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software SUSE Linux Subscribe
Vendor SuSE

Security Advisory

1) Prototype pollution

Severity: Low

CVSSv3: 4.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-11358

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to prototype pollution. A remote attacker can trick the extend function can into modifying the prototype of Object when the attacker controls part of the structure passed to this function. This can let an attacker add or modify an existing property that will then exist on all objects and perform a denial of service (DoS) attack.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Cross-site scripting

Severity: Low

CVSSv3: 4.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-12308

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of URL within the AdminURLFieldWidget. A remote attacker can trick the victim to follow a specially crafted link and display a clickable JavaScript link.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cleartext transmission of sensitive information

Severity: Medium

CVSSv3: 4 [CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12781

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Description

The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to django.http.HttpRequest.scheme, when deployed behind a reverse-proxy, does not correctly treat requests sent over HTTP protocol, assuming that a secure protocol is used for communication. A remote attacker with ability to force victim to use HTTP instead of HTTPS protocol can perform man-in-the-middle (MitM) attack and intercept communication in cleat text.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource management error

Severity: Medium

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14232

CWE-ID: CWE-399 - Resource Management Errors

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of truncatechars_html and truncatewords_html template filters in django.utils.text.Truncator during evaluation of HTML content. A remote attacker can pass large content in HTML format to the application and trigger resource exhaustion.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Resource management error

Severity: Medium

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14233

CWE-ID: CWE-399 - Resource Management Errors

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to usage of django.utils.html.strip_tags() during evaluation of HTML content. A remote attacker can pass large content in HTML format to the application and trigger resource exhaustion.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) SQL injection

Severity: High

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14234

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in django.contrib.postgres.fields.JSONField and django.contrib.postgres.fields.HStoreField. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Resource management error

Severity: Medium

CVSSv3: 5.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-14235

CWE-ID: CWE-399 - Resource Management Errors

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when parsing URF-8 data with django.utils.encoding.uri_to_iri(). A remote attacker can pass specially crafted content to the application and consume all available memory on the system.

Mitigation

Update the affected packages.

Vulnerable software versions

SUSE Linux: 15

CPE External links

https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.