Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model
editing. A Django model admin displaying inline related models, where the
user has view-only permissions to a parent model but edit permissions to
the inline model, would be presented with an editing UI, allowing POST
requests, for updating the inline model. Directly editing the view-only
parent model was not possible, but the parent model's save() method was
called, triggering potential side effects, and causing pre and post-save
signal handlers to be invoked. (To resolve this, the Django admin is
adjusted to require edit permissions on the parent model in order for
inline models to be editable.)
amurrayAccording to the upstream advisory only affects version 2.1, 2.2, 3.0 and master
Upstream:released (2.2.8)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 19.04 (Disco Dingo):not-affected
Ubuntu 19.10 (Eoan Ermine):not-affected
Ubuntu 20.04 (Focal Fossa):released (2:2.2.9-2ubuntu1)
More Information

Updated: 2020-01-21 05:15:03 UTC (commit 529c9755cf68243d8fc751c7fa9752115e65777b)