CVE-2019-19844

Priority
Description
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows
account takeover. A suitably crafted email address (that is equal to an
existing user's email address after case transformation of Unicode
characters) would allow an attacker to be sent a password reset token for
the matched user account. (One mitigation in the new releases is to send
password reset tokens only to the registered user email address.)
Assigned-to
sbeattie
Notes
Package
Upstream:released (1.11.27, 2.2.9)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (1.8.7-1ubuntu5.11)
Ubuntu 18.04 LTS (Bionic Beaver):released (1:1.11.11-1ubuntu1.6)
Ubuntu 19.04 (Disco Dingo):released (1:1.11.20-1ubuntu0.3)
Ubuntu 19.10 (Eoan Ermine):released (1:1.11.22-1ubuntu1.1)
Ubuntu 20.04 (Focal Fossa):released (2:2.2.9-2ubuntu1)
Patches:
Upstream:https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2 (1.11.x)
Upstream:https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e (2.2.x)
More Information

Updated: 2020-01-21 05:15:04 UTC (commit 529c9755cf68243d8fc751c7fa9752115e65777b)