CVE-2019-19844

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-19844
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-19844.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-19844
Aliases
Related
Published
2019-12-18T19:15:11Z
Modified
2024-10-12T04:50:18.398056Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

References

Affected packages

Alpine:v3.10 / py-django

Package

Name
py-django
Purl
pkg:apk/alpine/py-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.27-r0

Affected versions

1.*

1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
1.11.21-r0
1.11.22-r0
1.11.23-r0

Alpine:v3.11 / py3-django

Package

Name
py3-django
Purl
pkg:apk/alpine/py3-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.27-r0

Affected versions

1.*

1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
1.11.21-r0
1.11.22-r0
1.11.23-r0
1.11.23-r1
1.11.23-r2

Alpine:v3.12 / py3-django

Package

Name
py3-django
Purl
pkg:apk/alpine/py3-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.27-r0

Affected versions

1.*

1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.20-r1
1.11.21-r0
1.11.22-r0
1.11.23-r0
1.11.23-r1
1.11.23-r2

Alpine:v3.8 / py-django

Package

Name
py-django
Purl
pkg:apk/alpine/py-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.27-r0

Affected versions

1.*

1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.21-r0
1.11.22-r0
1.11.23-r0

Alpine:v3.9 / py-django

Package

Name
py-django
Purl
pkg:apk/alpine/py-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.11.27-r0

Affected versions

1.*

1.2.5-r0
1.2.5-r1
1.4.1-r0
1.5-r0
1.5.1-r0
1.5.5-r0
1.5.6-r0
1.5.7-r0
1.5.8-r0
1.6.5-r0
1.6.6-r0
1.7-r0
1.8-r0
1.8.3-r0
1.8.4-r0
1.8.6-r0
1.8.7-r0
1.8.8-r0
1.8.10-r0
1.8.12-r0
1.8.14-r0
1.8.15-r0
1.8.16-r0
1.10.5-r0
1.10.7-r0
1.11-r0
1.11-r1
1.11.5-r0
1.11.9-r0
1.11.10-r0
1.11.11-r0
1.11.12-r0
1.11.13-r0
1.11.15-r0
1.11.18-r0
1.11.20-r0
1.11.21-r0
1.11.22-r0
1.11.23-r0

Debian:11 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / python-django

Package

Name
python-django
Purl
pkg:deb/debian/python-django?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:2.2.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/django/django

Affected ranges

Type
GIT
Repo
https://github.com/django/django
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.0
1.1
1.11
1.11.1
1.11.10
1.11.11
1.11.12
1.11.13
1.11.14
1.11.15
1.11.16
1.11.17
1.11.18
1.11.19
1.11.2
1.11.20
1.11.21
1.11.22
1.11.23
1.11.24
1.11.25
1.11.26
1.11.3
1.11.4
1.11.5
1.11.6
1.11.7
1.11.8
1.11.9
1.11a1
1.11b1
1.11rc1
1.2
1.2.1
1.3
1.4
1.7a1
1.7a2