FreeBSDD5FEAD4F-8EFA-11EA-A5C8-08002728F74CWagtail -- potential timing attack vulnerability
1.9 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
6.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
0.0004 Low
EPSS
Percentile
12.7%
Wagtail release notes:
CVE-2020-11037: Potential timing attack on password-protected private pages
This release addresses a potential timing attack on pages or documents
that have been protected with a shared password through Wagtail’s
“Privacy” controls. This password check is performed through a
character-by-character string comparison, and so an attacker who is
able to measure the time taken by this check to a high degree of
accuracy could potentially use timing differences to gain knowledge of
the password. (This is understood to be feasible on a local network, but
not on the public internet.)
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| FreeBSD | any | noarch | py35-wagtail | < 2.7.3 | UNKNOWN |
| FreeBSD | any | noarch | py36-wagtail | < 2.7.3 | UNKNOWN |
| FreeBSD | any | noarch | py37-wagtail | < 2.7.3 | UNKNOWN |
| FreeBSD | any | noarch | py38-wagtail | < 2.7.3 | UNKNOWN |
Related
1.9 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
6.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N
0.0004 Low
EPSS
Percentile
12.7%