Recently, Django officially released a security bulletin to fix a security vulnerability. The high-risk vulnerability is CVE-2019-19844. Django’s password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset.
an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which — due to the behavior of Unicode case transformations — ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account.
- Django master branch
- Django 3.0
- Django 2.2
- Django 1.11
Django officially released a patch to fix this vulnerability, please the affected users upgrade Django as soon as possible.
The post CVE-2019-19844: Django Potential account hijack vulnerability alert appeared first on InfoTech News.