CVE-2019-13177: Improper Verification of Cryptographic Signature in django-rest-registration
(updated )
The vulnerability is a high severity one. Anyone using Django REST Registration library versions 0.2.* - 0.4.* with e-mail verification option (which is recommended, but needs additional configuration) is affected.
In the worst case, the attacker can take over any Django user by resetting his/her password without even receiving the reset password verification link, just by guessing the signature from publicly available data (more detailed description below).
References
- github.com/advisories/GHSA-p3w6-jcg4-52xh
- github.com/apragacz/django-rest-registration
- github.com/apragacz/django-rest-registration/commit/26d094fab65ea8c2694fdfb6a3ab95a7808b62d5
- github.com/apragacz/django-rest-registration/releases/tag/0.5.0
- github.com/apragacz/django-rest-registration/security/advisories/GHSA-p3w6-jcg4-52xh
- github.com/pypa/advisory-database/tree/main/vulns/django-rest-registration/PYSEC-2019-20.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-13177
Detect and mitigate CVE-2019-13177 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →