CVE-2019-19118

{"id": "CVE-2019-19118", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-12-02T14:15:10.880", "references": [{"url": "http://www.openwall.com/lists/oss-security/2019/12/02/1", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ", "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/", "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202004-17", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20191217-0003/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2019/12/02/1", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202004-17", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20191217-0003/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.djangoproject.com/weblog/2019/dec/02/security-releases/", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)"}, {"lang": "es", "value": "Django versiones 2.1 anteriores a 2.1.15 y versiones 2.2 anteriores a 2.2.8, permite una edici\u00f3n de modelos involuntaria. Un administrador de modelo de Django que despliega modelos relacionados en l\u00ednea, donde el usuario tiene permisos de solo lectura para un modelo principal pero permisos de edici\u00f3n para el modelo en l\u00ednea, ser\u00eda presentado con una IU de edici\u00f3n, que permite peticiones POST, para actualizar el modelo en l\u00ednea. No fue posible editar directamente el modelo principal de solo lectura, pero el m\u00e9todo save() del modelo principal fue llamado, activando posibles efectos secundarios y causando que los manejadores de se\u00f1ales previos y posteriores al guardado sean invocados. (Para resolver esto, el administrador de Django es ajustado para requerir permisos de edici\u00f3n en el modelo principal para que los modelos en l\u00ednea sean editables)."}], "lastModified": "2024-11-21T04:34:13.920", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F28B6AFD-209E-4F73-8186-8D271551DA14", "versionEndExcluding": "2.1.15", "versionStartIncluding": "2.1"}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8C7C4A3-6D86-43F3-9E07-B05760C6BC18", "versionEndExcluding": "2.2.8", "versionStartIncluding": "2.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}