Critical severityNVD Advisory· Published Dec 18, 2019· Updated Aug 5, 2024

CVE-2019-19844

Description

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Django password reset vulnerable to account takeover via Unicode case transformation in email addresses, allowing attackers to receive reset tokens for other users.

Root

Cause

The vulnerability resides in Django's password reset mechanism. When a user requests a password reset, the framework compares the provided email address against stored user email addresses. However, this comparison did not account for Unicode case folding, meaning that two email addresses that are visually distinct but normalize to the same string (e.g., via Unicode case mapping) were treated as different. An attacker could craft an email address that, after case transformation, matches an existing user's email address, causing the password reset token to be sent to the attacker's address instead of the legitimate user [1][3].

Exploitation

To exploit this, an attacker needs only to know the target user's email address. No authentication is required. The attacker submits a password reset request using a Unicode variant of the target's email (e.g., using a different case representation that normalizes identically). The Django application then sends the password reset token to the attacker's email address, allowing them to reset the victim's password and take over the account [4].

Impact

Successful exploitation results in complete account takeover. The attacker gains access to the victim's account, including any associated data and privileges. This vulnerability affects Django versions before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 [1].

Mitigation

The Django project released patched versions (1.11.27, 2.2.9, 3.0.1) that fix the comparison logic to properly handle Unicode case folding. Additionally, the fix ensures that password reset tokens are only sent to the email address registered to the account, preventing the token from being delivered to an attacker-controlled address [1][3]. Users are strongly advised to upgrade to the latest patched version.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	< 1.11.27	1.11.27
DjangoPyPI	>= 2.0, < 2.2.9	2.2.9
DjangoPyPI	>= 3.0, < 3.0.1	3.0.1

Affected products

270

Django/Djangodescription
ghsa-coords269 versions
pkg:pypi/django pkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/python-django-allauth&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ansible1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cobbler&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-tempest&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/grafana-natel-discrete-panel&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana-natel-discrete-panel&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana-natel-discrete-panel&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-barbican&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-cinder-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-cinder-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-designate&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-ironic&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-magnum&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-neutron-vsphere&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-nova-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-octavia&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/openstack-resource-agents&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-ardana-packager&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-ardana-packager&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-ardana-packager&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Django1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Flask-Cors&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Flask-Cors&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-heatclient&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-heatclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-keystoneclient&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-keystoneclient&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneclient&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-keystonemiddleware&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-kombu&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-kombu&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-kombu&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-neutron-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-neutron-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-octavia-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-octavia-tempest-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-os-brick&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-psql2mysql&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-straight-plugin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-straight-plugin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-urllib3&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-urllib3&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-hpe-helion-openstack&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209 pkg:rpm/suse/storm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%207
< 1.11.27+ 268 more
- (no CPE)range: < 1.11.27
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 0.63.3-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.9.6-9.7.2
- (no CPE)range: < 2.9.14-3.15.1
- (no CPE)range: < 2.2.3.0-12.2
- (no CPE)range: < 2.9.14-3.15.1
- (no CPE)range: < 2.9.14-3.15.1
- (no CPE)range: < 8.0+git.1596735237.54109b1-3.77.1
- (no CPE)range: < 8.0+git.1596735237.54109b1-3.77.1
- (no CPE)range: < 9.0+git.1591138508.e269bdb-3.22.2
- (no CPE)range: < 8.0+git.1596129856.263f430-3.43.1
- (no CPE)range: < 8.0+git.1596129856.263f430-3.43.1
- (no CPE)range: < 9.0+git.1588181228.bae3b1f-3.13.2
- (no CPE)range: < 8.0+git.1593631779.76fa9b7-3.24.1
- (no CPE)range: < 8.0+git.1593631779.76fa9b7-3.24.1
- (no CPE)range: < 9.0+git.1593631708.9354a78-3.13.2
- (no CPE)range: < 9.0+git.1589740948.c24fc0b-3.19.2
- (no CPE)range: < 9.0+git.1591193994.d93b668-3.13.2
- (no CPE)range: < 9.0+git.1594158642.b5905e4-3.12.2
- (no CPE)range: < 9.0+git.1589385256.7fbfaaf-3.19.2
- (no CPE)range: < 8.0+git.1593618123.678c32b-3.26.1
- (no CPE)range: < 8.0+git.1593618123.678c32b-3.26.1
- (no CPE)range: < 9.0+git.1593618110.cbd1a37-3.16.2
- (no CPE)range: < 9.0+git.1590756257.e09d54f-3.22.2
- (no CPE)range: < 8.0+git.1601298847.dd01585-3.42.1
- (no CPE)range: < 8.0+git.1601298847.dd01585-3.42.1
- (no CPE)range: < 9.0+git.1590079609.a2ae6ab-3.19.2
- (no CPE)range: < 8.0+git.1595885113.93abcbc-3.49.1
- (no CPE)range: < 8.0+git.1595885113.93abcbc-3.49.1
- (no CPE)range: < 9.0+git.1593033709.9495bb2-3.16.2
- (no CPE)range: < 4.0+git.1580209654.1d112d31f-9.66.5
- (no CPE)range: < 5.0+git.1600432272.b3ad722f0-3.44.1
- (no CPE)range: < 6.0+git.1594619891.b75a61d0d-3.25.5
- (no CPE)range: < 4.0+git.1585316203.d6ad2c8-4.52.4
- (no CPE)range: < 4.0+git.1589804581.9972163f0-9.71.4
- (no CPE)range: < 5.0+git.1599037158.5c4d07480-4.43.1
- (no CPE)range: < 6.0+git.1591795073.49cb6400e-3.25.3
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 8.20201007-1.29.1
- (no CPE)range: < 6.7.4-4.12.1
- (no CPE)range: < 4.6.5-1.14.1
- (no CPE)range: < 6.7.4-4.12.1
- (no CPE)range: < 6.2.5-3.12.2
- (no CPE)range: < 6.7.4-4.12.1
- (no CPE)range: < 6.2.5-3.12.2
- (no CPE)range: < 0.0.9-3.3.6
- (no CPE)range: < 0.0.9-3.3.6
- (no CPE)range: < 0.0.9-3.3.6
- (no CPE)range: < 2.0.19-1.8.1
- (no CPE)range: < 4.6.3-5.1
- (no CPE)range: < 4.6.3-4.3.2
- (no CPE)range: < 4.6.3-4.3.2
- (no CPE)range: < 1.5.17-3.6.1
- (no CPE)range: < 20180608_12.47-12.1
- (no CPE)range: < 7.0.1~dev24-3.9.5
- (no CPE)range: < 7.0.1~dev24-3.9.5
- (no CPE)range: < 11.1.1~dev7-3.16.3
- (no CPE)range: < 11.1.1~dev7-3.16.3
- (no CPE)range: < 11.2.3~dev29-3.28.2
- (no CPE)range: < 11.2.3~dev29-3.28.2
- (no CPE)range: < 13.0.10~dev12-3.22.4
- (no CPE)range: < 11.2.3~dev29-3.28.2
- (no CPE)range: < 13.0.10~dev12-3.22.4
- (no CPE)range: < 11.2.3~dev29-3.28.1
- (no CPE)range: < 11.2.3~dev29-3.28.1
- (no CPE)range: < 11.2.3~dev29-3.28.1
- (no CPE)range: < 14.1.1~dev6-3.15.5
- (no CPE)range: < 14.1.1~dev6-3.15.5
- (no CPE)range: < 2016.2-5.12.4
- (no CPE)range: < 7.0.2~dev2-3.19.3
- (no CPE)range: < 7.0.2~dev2-3.19.3
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.6.2
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.6.2
- (no CPE)range: < 11.1.5~dev6-3.19.3
- (no CPE)range: < 11.1.5~dev6-3.19.3
- (no CPE)range: < 14.2.1~dev4-3.22.3
- (no CPE)range: < 14.2.1~dev4-3.22.3
- (no CPE)range: < 7.2.1~dev1-3.13.3
- (no CPE)range: < 7.2.1~dev1-3.13.3
- (no CPE)range: < 3.0.1~dev30-4.12.2
- (no CPE)range: < 7.4.2~dev31-4.24.3
- (no CPE)range: < 7.4.2~dev31-4.24.3
- (no CPE)range: < 3.0.1~dev30-4.12.3
- (no CPE)range: < 2.8.2~dev5-3.9.3
- (no CPE)range: < 2.8.2~dev5-3.9.3
- (no CPE)range: < 20190923_16.32-3.15.1
- (no CPE)range: < 20190923_16.32-3.15.1
- (no CPE)range: < 20190923_16.32-3.15.1
- (no CPE)range: < 11.0.9~dev69-3.37.2
- (no CPE)range: < 11.0.9~dev69-3.37.2
- (no CPE)range: < 13.0.8~dev68-3.25.3
- (no CPE)range: < 11.0.9~dev69-3.37.2
- (no CPE)range: < 13.0.8~dev68-3.25.3
- (no CPE)range: < 11.0.9~dev69-3.37.1
- (no CPE)range: < 11.0.9~dev69-3.37.1
- (no CPE)range: < 11.0.9~dev69-3.37.1
- (no CPE)range: < 9.0.2~dev5-4.9.3
- (no CPE)range: < 9.0.2~dev5-4.9.4
- (no CPE)range: < 2.0.1~dev167-3.3.3
- (no CPE)range: < 2.0.1~dev167-3.3.3
- (no CPE)range: < 16.1.9~dev76-3.39.2
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 16.1.9~dev76-3.39.2
- (no CPE)range: < 18.3.1~dev38-3.25.4
- (no CPE)range: < 16.1.9~dev76-3.39.2
- (no CPE)range: < 18.3.1~dev38-3.25.4
- (no CPE)range: < 16.1.9~dev76-3.39.1
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 16.1.9~dev76-3.39.1
- (no CPE)range: < 16.1.9~dev76-3.39.1
- (no CPE)range: < 0.1.4-7.12.3
- (no CPE)range: < 0.1.4-7.12.3
- (no CPE)range: < 3.2.3~dev7-3.25.3
- (no CPE)range: < 3.2.3~dev7-3.25.3
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-5.3.2
- (no CPE)range: < 1.0+git.1569436425.8b9c49f-5.3.2
- (no CPE)range: < 12.2.1~a0~dev177-4.9.1
- (no CPE)range: < 0.0.3-7.7.2
- (no CPE)range: < 0.0.3-7.7.2
- (no CPE)range: < 0.0.3-9.3.2
- (no CPE)range: < 1.11.29-3.15.2
- (no CPE)range: < 1.11.29-3.15.2
- (no CPE)range: < 1.11.29-3.19.2
- (no CPE)range: < 1.8.19-3.23.1
- (no CPE)range: < 1.11.29-3.19.2
- (no CPE)range: < 1.11.29-3.19.2
- (no CPE)range: < 3.0.3-3.3.1
- (no CPE)range: < 3.0.3-3.3.1
- (no CPE)range: < 1.16.3-3.3.3
- (no CPE)range: < 1.16.3-3.3.3
- (no CPE)range: < 3.13.1-3.3.2
- (no CPE)range: < 3.13.1-3.3.2
- (no CPE)range: < 3.13.1-3.3.2
- (no CPE)range: < 4.17.1-5.3.1
- (no CPE)range: < 4.17.1-5.3.1
- (no CPE)range: < 4.17.1-5.3.1
- (no CPE)range: < 4.1.0-3.7.1
- (no CPE)range: < 4.1.0-3.7.1
- (no CPE)range: < 4.1.0-3.7.1
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 0.2.0-3.3.2
- (no CPE)range: < 2.5.10-3.12.3
- (no CPE)range: < 2.5.10-3.12.3
- (no CPE)range: < 8.1.4-3.6.2
- (no CPE)range: < 8.1.4-3.6.2
- (no CPE)range: < 4.2.1-3.9.2
- (no CPE)range: < 2.8.1-4.12.1
- (no CPE)range: < 4.2.1-3.9.2
- (no CPE)range: < 5.2.0-3.3.2
- (no CPE)range: < 4.2.1-3.9.2
- (no CPE)range: < 5.2.0-3.3.2
- (no CPE)range: < 0.5.0+git.1589351878.4ef877c-1.12.1
- (no CPE)range: < 1.2.1-21.1
- (no CPE)range: < 1.8.1-11.12.1
- (no CPE)range: < 0.5.2-4.3.2
- (no CPE)range: < 0.5.2-4.3.2
- (no CPE)range: < 4.0.2-3.17.1
- (no CPE)range: < 1.5.0-1.3.1
- (no CPE)range: < 1.5.0-1.3.1
- (no CPE)range: < 1.22-5.12.1
- (no CPE)range: < 1.22-5.12.1
- (no CPE)range: < 1.23-3.12.2
- (no CPE)range: < 1.22-5.12.1
- (no CPE)range: < 1.23-3.12.2
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 3.4.4-3.16.1
- (no CPE)range: < 8.20200922-3.23.1
- (no CPE)range: < 7.20180803-3.18.3
- (no CPE)range: < 8.20200922-3.23.1
- (no CPE)range: < 9.20200610-3.21.4
- (no CPE)range: < 8.20200922-3.23.1
- (no CPE)range: < 9.20200610-3.21.4
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 4.0.0-4.3.1
- (no CPE)range: < 3.9.2-7.20.1
- (no CPE)range: < 3.9.3-1.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 1.7.7-4.3.1
- (no CPE)range: < 2.16.0-4.6.1
- (no CPE)range: < 2.16.0-4.9.1
- (no CPE)range: < 1.2.3-3.6.1
- (no CPE)range: < 1.2.3-3.6.1
- (no CPE)range: < 1.2.3-3.6.1
- (no CPE)range: < 5.1.1~dev7-12.28.1
- (no CPE)range: < 5.1.1~dev7-12.28.1
- (no CPE)range: < 5.0.2~dev3-12.29.1
- (no CPE)range: < 5.0.2~dev3-12.29.1
- (no CPE)range: < 7.0.1~dev24-3.19.3
- (no CPE)range: < 9.0.8~dev7-12.26.1
- (no CPE)range: < 9.0.8~dev7-12.26.1
- (no CPE)range: < 11.2.3~dev29-14.30.1
- (no CPE)range: < 11.2.3~dev29-14.30.1
- (no CPE)range: < 13.0.10~dev12-3.19.2
- (no CPE)range: < 5.0.3~dev7-12.27.1
- (no CPE)range: < 5.0.3~dev7-12.27.1
- (no CPE)range: < 7.0.2~dev2-3.19.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.24.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.24.1
- (no CPE)range: < 15.0.3~dev3-12.27.1
- (no CPE)range: < 15.0.3~dev3-12.27.1
- (no CPE)range: < 17.0.1~dev30-3.17.2
- (no CPE)range: < 9.0.8~dev22-12.29.1
- (no CPE)range: < 9.0.8~dev22-12.29.1
- (no CPE)range: < 11.0.3~dev35-3.19.2
- (no CPE)range: < 12.0.5~dev3-14.32.1
- (no CPE)range: < 14.1.1~dev6-4.18.3
- (no CPE)range: < 12.0.5~dev3-14.32.1
- (no CPE)range: < 9.1.8~dev8-12.29.1
- (no CPE)range: < 9.1.8~dev8-12.29.1
- (no CPE)range: < 11.1.5~dev6-4.15.2
- (no CPE)range: < 12.0.4~dev11-11.30.1
- (no CPE)range: < 12.0.4~dev11-11.30.1
- (no CPE)range: < 14.2.1~dev4-3.19.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.28.1
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.28.1
- (no CPE)range: < 7.2.1~dev1-4.19.2
- (no CPE)range: < 5.1.1~dev5-12.33.1
- (no CPE)range: < 5.1.1~dev5-12.33.1
- (no CPE)range: < 7.4.2~dev31-3.21.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.24.1
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.24.1
- (no CPE)range: < 1.8.2~dev3-3.19.2
- (no CPE)range: < 2.2.2~dev1-11.24.1
- (no CPE)range: < 2.2.2~dev1-11.24.1
- (no CPE)range: < 2.7.1~dev10-3.17.3
- (no CPE)range: < 4.0.2~dev2-12.24.1
- (no CPE)range: < 4.0.2~dev2-12.24.1
- (no CPE)range: < 11.0.9~dev69-13.32.1
- (no CPE)range: < 11.0.9~dev69-13.32.1
- (no CPE)range: < 13.0.8~dev68-6.19.2
- (no CPE)range: < 16.1.9~dev76-11.30.1
- (no CPE)range: < 16.1.9~dev76-11.30.1
- (no CPE)range: < 18.3.1~dev38-3.19.3
- (no CPE)range: < 1.0.6~dev3-12.29.1
- (no CPE)range: < 1.0.6~dev3-12.29.1
- (no CPE)range: < 3.2.3~dev7-4.19.2
- (no CPE)range: < 7.0.5~dev4-11.28.1
- (no CPE)range: < 7.0.5~dev4-11.28.1
- (no CPE)range: < 9.0.2~dev15-3.19.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.21.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.21.1
- (no CPE)range: < 2.19.2~dev48-2.14.2
- (no CPE)range: < 8.0.2~dev2-11.28.1
- (no CPE)range: < 8.0.2~dev2-11.28.1
- (no CPE)range: < 3.4.10-6.1

Patches

4d334bea06ca

[2.2.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

https://github.com/django/djangoSimon CharetteDec 17, 2019via ghsa

commit

4 files changed · +92 −8

django/contrib/auth/forms.py+20 −4 modified

@@ -20,6 +20,15 @@
 UserModel = get_user_model()
 
 
+def _unicode_ci_compare(s1, s2):
+    """
+    Perform case-insensitive comparison of two identifiers, using the
+    recommended algorithm from Unicode Technical Report 36, section
+    2.11.2(B)(2).
+    """
+    return unicodedata.normalize('NFKC', s1).casefold() == unicodedata.normalize('NFKC', s2).casefold()
+
+
 class ReadOnlyPasswordHashWidget(forms.Widget):
     template_name = 'auth/widgets/read_only_password_hash.html'
     read_only = True
@@ -256,11 +265,16 @@ def get_users(self, email):
         that prevent inactive users and users with unusable passwords from
         resetting their password.
         """
+        email_field_name = UserModel.get_email_field_name()
         active_users = UserModel._default_manager.filter(**{
-            '%s__iexact' % UserModel.get_email_field_name(): email,
+            '%s__iexact' % email_field_name: email,
             'is_active': True,
         })
-        return (u for u in active_users if u.has_usable_password())
+        return (
+            u for u in active_users
+            if u.has_usable_password() and
+            _unicode_ci_compare(email, getattr(u, email_field_name))
+        )
 
     def save(self, domain_override=None,
              subject_template_name='registration/password_reset_subject.txt',
@@ -273,15 +287,17 @@ def save(self, domain_override=None,
         user.
         """
         email = self.cleaned_data["email"]
+        email_field_name = UserModel.get_email_field_name()
         for user in self.get_users(email):
             if not domain_override:
                 current_site = get_current_site(request)
                 site_name = current_site.name
                 domain = current_site.domain
             else:
                 site_name = domain = domain_override
+            user_email = getattr(user, email_field_name)
             context = {
-                'email': email,
+                'email': user_email,
                 'domain': domain,
                 'site_name': site_name,
                 'uid': urlsafe_base64_encode(force_bytes(user.pk)),
@@ -292,7 +308,7 @@ def save(self, domain_override=None,
             }
             self.send_mail(
                 subject_template_name, email_template_name, context, from_email,
-                email, html_email_template_name=html_email_template_name,
+                user_email, html_email_template_name=html_email_template_name,
             )

docs/releases/1.11.27.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 1.11.27 release notes
 ============================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 1.11.27 fixes a data loss bug in 1.11.26.
+Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

docs/releases/2.2.9.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 2.2.9 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 2.2.9 fixes a data loss bug in 2.2.8.
+Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

tests/auth_tests/test_forms.py+36 −0 modified

@@ -754,6 +754,42 @@ def test_invalid_email(self):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would

302a4ff1e8b1

[3.0.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

https://github.com/django/djangoSimon CharetteDec 17, 2019via ghsa

commit

5 files changed · +110 −10

django/contrib/auth/forms.py+20 −4 modified

@@ -20,6 +20,15 @@
 UserModel = get_user_model()
 
 
+def _unicode_ci_compare(s1, s2):
+    """
+    Perform case-insensitive comparison of two identifiers, using the
+    recommended algorithm from Unicode Technical Report 36, section
+    2.11.2(B)(2).
+    """
+    return unicodedata.normalize('NFKC', s1).casefold() == unicodedata.normalize('NFKC', s2).casefold()
+
+
 class ReadOnlyPasswordHashWidget(forms.Widget):
     template_name = 'auth/widgets/read_only_password_hash.html'
     read_only = True
@@ -269,11 +278,16 @@ def get_users(self, email):
         that prevent inactive users and users with unusable passwords from
         resetting their password.
         """
+        email_field_name = UserModel.get_email_field_name()
         active_users = UserModel._default_manager.filter(**{
-            '%s__iexact' % UserModel.get_email_field_name(): email,
+            '%s__iexact' % email_field_name: email,
             'is_active': True,
         })
-        return (u for u in active_users if u.has_usable_password())
+        return (
+            u for u in active_users
+            if u.has_usable_password() and
+            _unicode_ci_compare(email, getattr(u, email_field_name))
+        )
 
     def save(self, domain_override=None,
              subject_template_name='registration/password_reset_subject.txt',
@@ -286,15 +300,17 @@ def save(self, domain_override=None,
         user.
         """
         email = self.cleaned_data["email"]
+        email_field_name = UserModel.get_email_field_name()
         for user in self.get_users(email):
             if not domain_override:
                 current_site = get_current_site(request)
                 site_name = current_site.name
                 domain = current_site.domain
             else:
                 site_name = domain = domain_override
+            user_email = getattr(user, email_field_name)
             context = {
-                'email': email,
+                'email': user_email,
                 'domain': domain,
                 'site_name': site_name,
                 'uid': urlsafe_base64_encode(force_bytes(user.pk)),
@@ -305,7 +321,7 @@ def save(self, domain_override=None,
             }
             self.send_mail(
                 subject_template_name, email_template_name, context, from_email,
-                email, html_email_template_name=html_email_template_name,
+                user_email, html_email_template_name=html_email_template_name,
             )

docs/releases/1.11.27.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 1.11.27 release notes
 ============================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 1.11.27 fixes a data loss bug in 1.11.26.
+Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

docs/releases/2.2.9.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 2.2.9 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 2.2.9 fixes a data loss bug in 2.2.8.
+Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

docs/releases/3.0.1.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 3.0.1 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 3.0.1 fixes several bugs in 3.0.
+Django 3.0.1 fixes a security issue and several bugs in 3.0.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

tests/auth_tests/test_forms.py+36 −0 modified

@@ -804,6 +804,42 @@ def test_invalid_email(self):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would

f4cff43bf921

[1.11.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

https://github.com/django/djangoSimon CharetteDec 17, 2019via ghsa

commit

3 files changed · +86 −6

django/contrib/auth/forms.py+26 −4 modified

@@ -16,12 +16,27 @@
 from django.template import loader
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_encode
+from django.utils.six import PY3
 from django.utils.text import capfirst
 from django.utils.translation import ugettext, ugettext_lazy as _
 
 UserModel = get_user_model()
 
 
+def _unicode_ci_compare(s1, s2):
+    """
+    Perform case-insensitive comparison of two identifiers, using the
+    recommended algorithm from Unicode Technical Report 36, section
+    2.11.2(B)(2).
+    """
+    normalized1 = unicodedata.normalize('NFKC', s1)
+    normalized2 = unicodedata.normalize('NFKC', s2)
+    if PY3:
+        return normalized1.casefold() == normalized2.casefold()
+    # lower() is the best alternative available on Python 2.
+    return normalized1.lower() == normalized2.lower()
+
+
 class ReadOnlyPasswordHashWidget(forms.Widget):
     template_name = 'auth/widgets/read_only_password_hash.html'
 
@@ -249,11 +264,16 @@ def get_users(self, email):
         that prevent inactive users and users with unusable passwords from
         resetting their password.
         """
+        email_field_name = UserModel.get_email_field_name()
         active_users = UserModel._default_manager.filter(**{
-            '%s__iexact' % UserModel.get_email_field_name(): email,
+            '%s__iexact' % email_field_name: email,
             'is_active': True,
         })
-        return (u for u in active_users if u.has_usable_password())
+        return (
+            u for u in active_users
+            if u.has_usable_password() and
+            _unicode_ci_compare(email, getattr(u, email_field_name))
+        )
 
     def save(self, domain_override=None,
              subject_template_name='registration/password_reset_subject.txt',
@@ -266,15 +286,17 @@ def save(self, domain_override=None,
         user.
         """
         email = self.cleaned_data["email"]
+        email_field_name = UserModel.get_email_field_name()
         for user in self.get_users(email):
             if not domain_override:
                 current_site = get_current_site(request)
                 site_name = current_site.name
                 domain = current_site.domain
             else:
                 site_name = domain = domain_override
+            user_email = getattr(user, email_field_name)
             context = {
-                'email': email,
+                'email': user_email,
                 'domain': domain,
                 'site_name': site_name,
                 'uid': urlsafe_base64_encode(force_bytes(user.pk)),
@@ -286,7 +308,7 @@ def save(self, domain_override=None,
                 context.update(extra_email_context)
             self.send_mail(
                 subject_template_name, email_template_name, context, from_email,
-                email, html_email_template_name=html_email_template_name,
+                user_email, html_email_template_name=html_email_template_name,
             )

docs/releases/1.11.27.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 1.11.27 release notes
 ============================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 1.11.27 fixes a data loss bug in 1.11.26.
+Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

tests/auth_tests/test_forms.py+42 −0 modified

@@ -694,6 +694,48 @@ def test_invalid_email(self):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        if six.PY2:
+            self.assertFalse(form.is_valid())
+        else:
+            self.assertTrue(form.is_valid())
+            form.save()
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        if six.PY2:
+            self.assertFalse(form.is_valid())
+        else:
+            self.assertTrue(form.is_valid())
+            form.save()
+            self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would

5b1fbcef7a8b

Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

https://github.com/django/djangoSimon CharetteDec 17, 2019via ghsa

commit

5 files changed · +110 −10

django/contrib/auth/forms.py+20 −4 modified

@@ -20,6 +20,15 @@
 UserModel = get_user_model()
 
 
+def _unicode_ci_compare(s1, s2):
+    """
+    Perform case-insensitive comparison of two identifiers, using the
+    recommended algorithm from Unicode Technical Report 36, section
+    2.11.2(B)(2).
+    """
+    return unicodedata.normalize('NFKC', s1).casefold() == unicodedata.normalize('NFKC', s2).casefold()
+
+
 class ReadOnlyPasswordHashWidget(forms.Widget):
     template_name = 'auth/widgets/read_only_password_hash.html'
     read_only = True
@@ -269,11 +278,16 @@ def get_users(self, email):
         that prevent inactive users and users with unusable passwords from
         resetting their password.
         """
+        email_field_name = UserModel.get_email_field_name()
         active_users = UserModel._default_manager.filter(**{
-            '%s__iexact' % UserModel.get_email_field_name(): email,
+            '%s__iexact' % email_field_name: email,
             'is_active': True,
         })
-        return (u for u in active_users if u.has_usable_password())
+        return (
+            u for u in active_users
+            if u.has_usable_password() and
+            _unicode_ci_compare(email, getattr(u, email_field_name))
+        )
 
     def save(self, domain_override=None,
              subject_template_name='registration/password_reset_subject.txt',
@@ -292,9 +306,11 @@ def save(self, domain_override=None,
             domain = current_site.domain
         else:
             site_name = domain = domain_override
+        email_field_name = UserModel.get_email_field_name()
         for user in self.get_users(email):
+            user_email = getattr(user, email_field_name)
             context = {
-                'email': email,
+                'email': user_email,
                 'domain': domain,
                 'site_name': site_name,
                 'uid': urlsafe_base64_encode(force_bytes(user.pk)),
@@ -305,7 +321,7 @@ def save(self, domain_override=None,
             }
             self.send_mail(
                 subject_template_name, email_template_name, context, from_email,
-                email, html_email_template_name=html_email_template_name,
+                user_email, html_email_template_name=html_email_template_name,
             )

docs/releases/1.11.27.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 1.11.27 release notes
 ============================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 1.11.27 fixes a data loss bug in 1.11.26.
+Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

docs/releases/2.2.9.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 2.2.9 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 2.2.9 fixes a data loss bug in 2.2.8.
+Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

docs/releases/3.0.1.txt+18 −2 modified

@@ -2,9 +2,25 @@
 Django 3.0.1 release notes
 ==========================
 
-*Expected January 2, 2020*
+*December 18, 2019*
 
-Django 3.0.1 fixes several bugs in 3.0.
+Django 3.0.1 fixes a security issue and several bugs in 3.0.
+
+CVE-2019-19844: Potential account hijack via password reset form
+================================================================
+
+By submitting a suitably crafted email address making use of Unicode
+characters, that compared equal to an existing user email when lower-cased for
+comparison, an attacker could be sent a password reset token for the matched
+account.
+
+In order to avoid this vulnerability, password reset requests now compare the
+submitted email using the stricter, recommended algorithm for case-insensitive
+comparison of two identifiers from `Unicode Technical Report 36, section
+2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
+sent to the email address on record rather than the submitted address.
+
+.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
 
 Bugfixes
 ========

tests/auth_tests/test_forms.py+36 −0 modified

@@ -804,6 +804,42 @@ def test_invalid_email(self):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vfq6-hq5r-27r6ghsaADVISORY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/mitrevendor-advisoryx_refsource_FEDORA
nvd.nist.gov/vuln/detail/CVE-2019-19844ghsaADVISORY
security.gentoo.org/glsa/202004-17ghsavendor-advisoryx_refsource_GENTOOWEB
usn.ubuntu.com/4224-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2020/dsa-4598ghsavendor-advisoryx_refsource_DEBIANWEB
packetstormsecurity.com/files/155872/Django-Account-Hijack.htmlghsax_refsource_MISCWEB
docs.djangoproject.com/en/dev/releases/securityghsaWEB
docs.djangoproject.com/en/dev/releases/security/mitrex_refsource_MISC
github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26ghsaWEB
github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0eghsaWEB
github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70ghsaWEB
github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-16.yamlghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/mitrex_refsource_MISC
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUDghsaWEB
seclists.org/bugtraq/2020/Jan/9ghsamailing-listx_refsource_BUGTRAQWEB
security.netapp.com/advisory/ntap-20200110-0003ghsaWEB
security.netapp.com/advisory/ntap-20200110-0003/mitrex_refsource_CONFIRM
usn.ubuntu.com/4224-1ghsaWEB
www.djangoproject.com/weblog/2019/dec/18/security-releasesghsaWEB
www.djangoproject.com/weblog/2019/dec/18/security-releases/mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.011
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000