CVE-2019-3498

Description

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content.

How to fix CVE-2019-3498

To remediate CVE-2019-3498, upgrade the affected package to a fixed version below.

• —upgrade to 1.11.18-r0 or later
• —upgrade to 1.11.18-r0 or later
• —upgrade to 1:1.10.7-2+deb9u4 or later
• —upgrade to 1.7.11-1+deb8u4 or later
• —upgrade to 1:1.11.18-1 or later
• —upgrade to 1.11.18 or later
• —upgrade to 1.11.18 or later

Is CVE-2019-3498 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 1.11.18-r0
• from 0, < 1.11.18-r0
• from 0, < 1:1.10.7-2+deb9u4
• from 0, < 1.7.11-1+deb8u4
• from 0, < 1:1.11.18-1
• >= 1.11a1, < 1.11.18
• >= 1.11, < 1.11.18, >= 2.0, < 2.0.10, >= 2.1, < 2.1.5

CVSS scores

References (19)

• ADVISORYgithub.com/advisories/GHSA-337x-4q8g-prc5
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-3498
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-3498
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-3498
• ADVISORY