CVE-2018-16984

2018-10-0218:29:00

Debian Security Bug Tracker

security-tracker.debian.org

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

59.7%

JSON

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the “view” permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-django< 3:3.2.19-1+deb12u1python-django_3:3.2.19-1+deb12u1_all.deb
Debian11allpython-django< 2:2.2.28-1~deb11u2python-django_2:2.2.28-1~deb11u2_all.deb
Debian10allpython-django< 1:1.11.29-1~deb10u1python-django_1:1.11.29-1~deb10u1_all.deb
Debian999allpython-django< 3:4.2.13-1python-django_3:4.2.13-1_all.deb
Debian13allpython-django< 3:4.2.11-1python-django_3:4.2.11-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-django	< 3:3.2.19-1+deb12u1	python-django_3:3.2.19-1+deb12u1_all.deb
Debian	11	all	python-django	< 2:2.2.28-1~deb11u2	python-django_2:2.2.28-1~deb11u2_all.deb
Debian	10	all	python-django	< 1:1.11.29-1~deb10u1	python-django_1:1.11.29-1~deb10u1_all.deb
Debian	999	all	python-django	< 3:4.2.13-1	python-django_3:4.2.13-1_all.deb
Debian	13	all	python-django	< 3:4.2.11-1	python-django_3:4.2.11-1_all.deb