CVE-2019-19844: Django Potential account hijack vulnerability alert

Recently, Django officially released a security bulletin to fix a security vulnerability. The high-risk vulnerability is CVE-2019-19844. Django’s password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset.

CVE-2019-14234

an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which — due to the behavior of Unicode case transformations — ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account.

Affected version

  • Django master branch
  • Django 3.0
  • Django 2.2
  • Django 1.11

Solution:

Django officially released a patch to fix this vulnerability, please the affected users upgrade Django as soon as possible.