CVE-2019-19118

Name: CVE-2019-19118
Creator: NVD / NIST
Published: 2019-12-02T14:15:10.88+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.66%

Last modified Jun 17, 2026

CVE-2019-19118 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. EPSS estimates a 1.66% chance of exploitation in the next 30 days.

Description

Django 2.1 before 2.1.15 and 2.2 before 2.2.8 allows unintended model editing. A Django model admin displaying inline related models, where the user has view-only permissions to a parent model but edit permissions to the inline model, would be presented with an editing UI, allowing POST requests, for updating the inline model. Directly editing the view-only parent model was not possible, but the parent model's save() method was called, triggering potential side effects, and causing pre and post-save signal handlers to be invoked. (To resolve this, the Django admin is adjusted to require edit permissions on the parent model in order for inline models to be editable.)

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

1.66%

73.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-276

Affected Software

Vendor	Product	Versions
Djangoproject	Django	>= 2.1, < 2.1.15
Djangoproject	Django	>= 2.2, < 2.2.8
Fedoraproject	Fedora	31

References

http://www.openwall.com/lists/oss-security/2019/12/02/1Mailing List, Patch, Third Party Advisory
https://docs.djangoproject.com/en/dev/releases/security/Patch, Vendor Advisory
https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
https://security.gentoo.org/glsa/202004-17
https://security.netapp.com/advisory/ntap-20191217-0003/Third Party Advisory
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/Patch, Vendor Advisory
http://www.openwall.com/lists/oss-security/2019/12/02/1Mailing List, Patch, Third Party Advisory
https://docs.djangoproject.com/en/dev/releases/security/Patch, Vendor Advisory
https://groups.google.com/forum/#%21topic/django-announce/GjGqDvtNmWQ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6R4HD22PVEVQ45H2JA2NXH443AYJOPL5/
https://security.gentoo.org/glsa/202004-17
https://security.netapp.com/advisory/ntap-20191217-0003/Third Party Advisory
https://www.djangoproject.com/weblog/2019/dec/02/security-releases/Patch, Vendor Advisory

Timeline

Published: Dec 2, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-19118?

How severe is CVE-2019-19118?

CVE-2019-19118 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.66% probability of exploitation in the next 30 days.

How do I fix CVE-2019-19118?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-19118?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST