Django Access Restrictions Bypass

GHSA-46x4-9jmv-jc8p · CVE-2016-2048 · PYSEC-2016-14

Published May 17, 2022 · Modified Nov 28, 2024

Description

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-2048
WEB https://github.com/django/django/commit/adbca5e4db42542575734b8e5d26961c8ada7265
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2016-14.yaml
WEB https://web.archive.org/web/20210123075529/http://www.securityfocus.com/bid/82329
WEB https://web.archive.org/web/20211204051406/http://www.securitytracker.com/id/1034894
WEB https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes