BIT-DJANGO-2025-13473 Username enumeration through timing difference in mod_wsgi authentication handler

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

Timing Attack

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Timing Attack via the checkpassword function in the modwsgi.py file. An attacker can determine the existence of valid usernames b...

PYSEC-2026-42

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

EUVD-2025-206740

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

CVE-2025-13473

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series such as 5.0.x,...

Django 安全漏洞

Django is a set of open-source web frameworks based on the Python language, developed by the Django Foundation. This framework includes an object-oriented mapper, view system, template system, etc. Versions prior to Django 6.0.2, 5.2.11, and 4.2.28 have security vulnerabilities. These...

Authentication Bypass

django-allauth is vulnerable to authentication bypass attacks. The vulnerability exists as the checkpassword function used in the authentication backend failed to reject authentication to a user if isactive=False is set...

CVE-2011-4068

PacketFence before 3.0.2 is affected by an authentication bypass in the check_password function (html/admin/login.php). An unauthenticated remote attacker can bypass login with an empty password, gaining access to the system. Multiple sources reference PacketFence

GlobaLeaks: GlobaLeaks is vulnerable to timing attacks.

Dear GlobaLeaks bug bounty team, GlobaLeaks is vulnerable to timing attacks, because the checkpassword function performs a byte-by-byte comparison, which terminates early when two characters do not match. Summary --- Timing attacks are a type of side channel attack where one can discover valuable...

openldap security, bug fix, and enhancement update

2.4.40-8 - NSS does not support string ordering 1231522 - implement and correct order of parsing attributes 1231522 - add multimask and multistrength to correctly handle sets of attributes 1231522 - add new cipher suites and correct AES-GCM attributes 1245279 - correct DEFAULT ciphers handling to...