cvelistv5 - CVE-2019-13177

CVE-2019-13177 (GCVE-0-2019-13177)

Vulnerability from cvelistv5

Published

2019-07-02 21:17

Modified

2024-08-04 23:41

Severity ?

CWE

Summary

verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.

References

URL

Tags

cve@mitre.org	https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0	Release Notes, Third Party Advisory
cve@mitre.org	https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:10.490Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-02T21:17:53",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13177",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh",
              "refsource": "MISC",
              "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
            },
            {
              "name": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0",
              "refsource": "MISC",
              "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-13177",
    "datePublished": "2019-07-02T21:17:53",
    "dateReserved": "2019-07-02T00:00:00",
    "dateUpdated": "2024-08-04T23:41:10.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-13177\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-07-02T22:15:09.770\",\"lastModified\":\"2024-11-21T04:24:21.807\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.\"},{\"lang\":\"es\",\"value\":\"El archivo verification.py en django-rest-registration (tambi\u00e9n conocida como biblioteca de registro REST de Django) anterior a la versi\u00f3n 0.5.0 consiste en una cadena est\u00e1tica para firmas (es decir, la API de firma de Django es usada inapropiadamente), lo que permite a los atacantes remotos suplantar el proceso de comprobaci\u00f3n. Esto ocurre porque la refactorizaci\u00f3n del c\u00f3digo incorrecta conllev\u00f3 a llamar a una funci\u00f3n cr\u00edtica de seguridad con un argumento incorrecto.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:django-rest-registration_project:django-rest-registration:*:*:*:*:*:django:*:*\",\"versionStartExcluding\":\"0.1.0\",\"versionEndExcluding\":\"0.5.0\",\"matchCriteriaId\":\"F950C177-4510-4EE8-88A5-BC57996E4C98\"}]}]}],\"references\":[{\"url\":\"https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

gsd-2019-13177

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2019-13177

Aliases

CVE-2019-13177

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-13177",
    "description": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
    "id": "GSD-2019-13177"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-13177"
      ],
      "details": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
      "id": "GSD-2019-13177",
      "modified": "2023-12-13T01:23:41.132188Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-13177",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh",
            "refsource": "MISC",
            "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
          },
          {
            "name": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0",
            "refsource": "MISC",
            "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e0.1.0,\u003c0.5.0",
          "affected_versions": "All versions after 0.1.0 before 0.5.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-347",
            "CWE-937"
          ],
          "date": "2019-07-12",
          "description": "`verification.py` in django-rest-registration (aka Django REST Registration library) relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
          "fixed_versions": [
            "0.5.0"
          ],
          "identifier": "CVE-2019-13177",
          "identifiers": [
            "CVE-2019-13177",
            "GHSA-p3w6-jcg4-52xh"
          ],
          "not_impacted": "All versions up to 0.1.0, all versions starting from 0.5.0",
          "package_slug": "pypi/django-rest-registration",
          "pubdate": "2019-07-02",
          "solution": "Upgrade to version 0.5.0 or above.",
          "title": "Improper Verification of Cryptographic Signature",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-13177"
          ],
          "uuid": "a5833bb9-9c7c-44eb-82de-3745a70a02e8"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:django-rest-registration_project:django-rest-registration:*:*:*:*:*:django:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.5.0",
                "versionStartExcluding": "0.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-13177"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-347"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
            },
            {
              "name": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-07-12T13:52Z",
      "publishedDate": "2019-07-02T22:15Z"
    }
  }
}

fkie_cve-2019-13177

Vulnerability from fkie_nvd

Published

2019-07-02 22:15

Modified

2024-11-21 04:24

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0	Release Notes, Third Party Advisory
cve@mitre.org	https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh	Exploit, Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	django-rest-registration_project	django-rest-registration	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:django-rest-registration_project:django-rest-registration:*:*:*:*:*:django:*:*",
              "matchCriteriaId": "F950C177-4510-4EE8-88A5-BC57996E4C98",
              "versionEndExcluding": "0.5.0",
              "versionStartExcluding": "0.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument."
    },
    {
      "lang": "es",
      "value": "El archivo verification.py en django-rest-registration (tambi\u00e9n conocida como biblioteca de registro REST de Django) anterior a la versi\u00f3n 0.5.0 consiste en una cadena est\u00e1tica para firmas (es decir, la API de firma de Django es usada inapropiadamente), lo que permite a los atacantes remotos suplantar el proceso de comprobaci\u00f3n. Esto ocurre porque la refactorizaci\u00f3n del c\u00f3digo incorrecta conllev\u00f3 a llamar a una funci\u00f3n cr\u00edtica de seguridad con un argumento incorrecto."
    }
  ],
  "id": "CVE-2019-13177",
  "lastModified": "2024-11-21T04:24:21.807",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-07-02T22:15:09.770",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-p3w6-jcg4-52xh

Vulnerability from github

Published

2019-07-02 15:43

Modified

2024-09-16 21:58

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

Improper Verification of Cryptographic Signature in django-rest-registration

Details

Misusing the Django Signer API leads to predictable signatures used in verification emails

Impact

The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected. In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).

Patches

The problem has been patched in version 0.5.0. All library users should upgrade to version 0.5.0 or higher. The fix will invalidate all previously generated signatures , and in consequence, all verification links in previously sent verification e-mails. Therefore semi-major version 0.5.0 was released instead of version 0.4.6 to mark that incompatibility.

Workarounds

The easiest way way is to disable the verification options by using something like the minimal configuration described here. This will unfortunately disable checking whether the given e-mail is valid and make unable to users who registered an account but didn't verify it before config change.

Less harsh way is to temporarily disable just the the reset password functionality:

python REST_REGISTRATION = { # ... 'RESET_PASSWORD_VERIFICATION_ENABLED': False, # ... } Which should disallow the worst case, which is account takeover by an attacker. The attacker can still use the register-email endpoint to change the email to its own (but it is less critical than resetting the password in this case).

If one already set 'RESET_PASSWORD_VERIFICATION_ONE_TIME_USE' setting key to True in REST_REGISTRATION Django setting (which is not the default setting) then it should mitigate the security issue in case of password reset (in this case, the signature is much harder to guess by the attacker). But even in this case upgrade to newest version is highly recommended.

Technical description

After the code was refactored to use the official Signer class the salt was passed wrongly as secret key, replacing the SECRET_KEY set in Django settings file. This leads to the Django SECRET_KEY not being used by the signer object. The secret key of the signer ends to be the salt which in most cases is a static string which is publicly available.

In consequence this allows, with verification enabled, to guess the signature contained in the verification link (which is sent in a verification e-mail) by a potential attacker very easily.

The bug went unnoticed for very long time so multiple versions are affected: this bug affects versions 0.2.*, 0.3.*, 0.4.*; version 0.1.* is not affected.

Recently released version 0.5.0 contains the fix which correctly passes the salt to the Signer constructor as keyword argument instead as a positonal argument. It also contains additonal test so this problem should not reappear in the future.

Thanks

I'd like to thank @peterthomassen from https://desec.io DNS security project for finding the bug. I'd like also to thank his employer, SSE (https://www.securesystems.de) for funding his work.

For more information

If you have any questions or comments about this advisory: * Open an issue in GitHub issues project page * Email @apragacz, author of the library

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-rest-registration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-13177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:47:52Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Misusing the Django Signer API leads to predictable signatures used in verification emails\n\n### Impact\nThe vulnerability is a high severity one. Anyone using Django REST Registration library versions `0.2.*` - `0.4.*` with e-mail verification option (which is recommended, but needs [additional configuration](https://django-rest-registration.readthedocs.io/en/latest/quickstart.html#preferred-configuration)) is affected.\nIn the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).\n\n### Patches\nThe problem has been patched in version `0.5.0`. All library users should upgrade to version `0.5.0` or higher.\nThe fix will invalidate all previously generated signatures , and in consequence, all verification links in previously sent verification e-mails. Therefore semi-major version `0.5.0` was released instead of version `0.4.6` to mark that incompatibility.\n\n### Workarounds\nThe easiest way way is to disable the verification options by using something like the minimal configuration described [here](https://django-rest-registration.readthedocs.io/en/latest/quickstart.html#minimal-configuration). This will unfortunately disable checking whether the given e-mail is valid and make unable to users who registered an account but didn\u0027t verify it before config change.\n\nLess harsh way is to temporarily disable just the the reset password functionality:\n\n```python\nREST_REGISTRATION = {\n    # ...\n    \u0027RESET_PASSWORD_VERIFICATION_ENABLED\u0027: False,\n    # ...\n}\n```\nWhich should disallow the worst case, which is account takeover by an attacker. The attacker can still use the register-email endpoint to change the email to its own (but it is less critical than resetting the password in this case).\n\nIf one already set `\u0027RESET_PASSWORD_VERIFICATION_ONE_TIME_USE\u0027` setting key to `True` in `REST_REGISTRATION` Django setting (which is not the default setting) then it should mitigate the security issue in case of password reset (in this case, the signature is much harder to guess by the attacker). But even in this case upgrade to newest version is highly recommended.\n\n### Technical description\nAfter the code [was refactored](https://github.com/apragacz/django-rest-registration/commit/b6d921e9decc9bb36a4c6d58bc607471aa824a2e) to use the [official Signer class](https://docs.djangoproject.com/en/dev/topics/signing/) the salt\nwas passed wrongly as secret key, replacing the `SECRET_KEY` set in\nDjango settings file. This leads to the Django `SECRET_KEY` not being used by the signer object. The secret key of the signer ends to be the salt which in most cases is a static string which is publicly available.\n\nIn consequence this allows, with verification enabled, to guess\nthe signature contained in the verification link (which is sent in a verification e-mail) by a potential attacker very easily.\n\nThe bug went unnoticed for very long time so multiple versions are affected:\nthis bug affects versions `0.2.*`, `0.3.*`, `0.4.*`; version `0.1.*` is not affected.\n\nRecently released version `0.5.0` contains the [fix](https://github.com/apragacz/django-rest-registration/commit/26d094fab65ea8c2694fdfb6a3ab95a7808b62d5) which correctly passes the salt to the Signer constructor as keyword argument instead as a positonal argument. It also contains additonal test so this problem should not reappear in the future.\n\n### Thanks\nI\u0027d like to thank @peterthomassen from https://desec.io DNS security project for finding the bug. I\u0027d like also to thank his employer, SSE (https://www.securesystems.de) for funding his work.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [GitHub issues project page](https://github.com/apragacz/django-rest-registration/issues)\n* Email @apragacz, author of the library ",
  "id": "GHSA-p3w6-jcg4-52xh",
  "modified": "2024-09-16T21:58:34Z",
  "published": "2019-07-02T15:43:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/commit/26d094fab65ea8c2694fdfb6a3ab95a7808b62d5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apragacz/django-rest-registration"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-rest-registration/PYSEC-2019-20.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Verification of Cryptographic Signature in django-rest-registration"
}

pysec-2019-20

Vulnerability from pysec

Published

2019-07-02 22:15

Modified

2019-07-12 13:52

Details

Impacted products

Name	purl
django-rest-registration	pkg:pypi/django-rest-registration

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-rest-registration",
        "purl": "pkg:pypi/django-rest-registration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.2",
        "0.2.0",
        "0.2.1",
        "0.2.4",
        "0.3.0",
        "0.3.3",
        "0.3.4",
        "0.3.5",
        "0.3.6",
        "0.3.7",
        "0.3.8",
        "0.3.9",
        "0.3.12",
        "0.3.13",
        "0.3.14",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.4.3",
        "0.4.4",
        "0.4.5"
      ]
    }
  ],
  "aliases": [
    "CVE-2019-13177",
    "GHSA-p3w6-jcg4-52xh"
  ],
  "details": "verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument.",
  "id": "PYSEC-2019-20",
  "modified": "2019-07-12T13:52:00Z",
  "published": "2019-07-02T22:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apragacz/django-rest-registration/releases/tag/0.5.0"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2019-13177 (GCVE-0-2019-13177)

Vulnerability from cvelistv5

gsd-2019-13177

Vulnerability from gsd

fkie_cve-2019-13177

Vulnerability from fkie_nvd

ghsa-p3w6-jcg4-52xh

Vulnerability from github

Misusing the Django Signer API leads to predictable signatures used in verification emails

Impact

Patches

Workarounds

Technical description

Thanks

For more information

pysec-2019-20

Vulnerability from pysec

Tags

Sightings

Nomenclature