Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 745933 (CVE-2020-25626)

Summary: <dev-python/djangorestframework-3.12.2: XSS vulnerability in API viewer (CVE-2020-25626)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-25626
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description filip ambroz 2020-10-01 08:06:03 UTC 
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

Links:
https://bugzilla.redhat.com/show_bug.cgi?id=1878635
https://www.tenable.com/cve/CVE-2020-25626

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 15:12:46 UTC 
Atom in summary shouldn't be versioned until a fixed version is in tree.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-16 18:56:42 UTC 
ping
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 16:42:50 UTC 
ping, please bump
Comment 4 Larry the Git Cow gentoo-dev 2021-01-30 15:36:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92f7dab687fab03cb9056f19bccf0974c70c5947

commit 92f7dab687fab03cb9056f19bccf0974c70c5947
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-01-30 15:32:04 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-01-30 15:32:04 +0000

    dev-python/djangorestframework: drop old version
    
    Bug: https://bugs.gentoo.org/745933
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 dev-python/djangorestframework/Manifest               |  1 -
 .../djangorestframework-3.11.1.ebuild                 | 19 -------------------
 2 files changed, 20 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4e33679bbf5d6065d98579bd08a2eef2bcd06f3

commit e4e33679bbf5d6065d98579bd08a2eef2bcd06f3
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-01-30 15:30:56 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-01-30 15:30:56 +0000

    dev-python/djangorestframework: bump to version 3.12.2
    
    Also added python3_9 support.
    
    Bug: https://bugs.gentoo.org/745933
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 dev-python/djangorestframework/Manifest             |  1 +
 .../djangorestframework-3.12.2.ebuild               | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 16:21:24 UTC 
Thank you!