Lucene search

K

GoogleOSV:GHSA-X7Q2-WR7G-XQMF

HistoryJul 10, 2024 - 6:33 a.m.

Django vulnerable to user enumeration attack

2024-07-1006:33:52

Google

osv.dev

11

django

vulnerability

user enumeration

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.4

Confidence

Low

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

References

docs.djangoproject.com/en/dev/releases/security

github.com/django/django

github.com/django/django/commit/07cefdee4a9d1fcd9a3a631cbd07c78defd1923b

github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14

github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-57.yaml

groups.google.com/forum/#%21forum/django-announce

nvd.nist.gov/vuln/detail/CVE-2024-39329

www.djangoproject.com/weblog/2024/jul/09/security-releases

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.4

Confidence

Low

Related for OSV:GHSA-X7Q2-WR7G-XQMF

vulnrichment1 veracode1 wolfi1 debiancve1 cve1 osv4 redhatcve1 cvelist1 github1 nvd1 ubuntucve1 freebsd1 nessus10 openvas8 ubuntu2 fedora4 ibm1 redhat1