CVE-2024-39329

2024-07-0900:00:00

ubuntu.com

django security django.contrib.auth modelbackend timing attack user enumeration unusable passwords cve-2024-39329 4.2 5.0 5.1

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

15.8%

JSON

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14.
The django.contrib.auth.backends.ModelBackend.authenticate() method allows
remote attackers to enumerate users via a timing attack involving login
requests for users with an unusable password.

Notes

Author	Note
	Priority reason: requires user accounts with unusable passwords
alexmurray	upstream advises that only versions 4.2, 5.0 and 5.1 (plus main development branch) are affected but it is likely earlier versions may also be affected but upstream do not mention this as they are no longer maintained by them

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpython-django< 1:1.11.11-1ubuntu1.21+esm5UNKNOWN
ubuntu20.04noarchpython-django< 2:2.2.12-1ubuntu0.23UNKNOWN
ubuntu22.04noarchpython-django< 2:3.2.12-2ubuntu1.12UNKNOWN
ubuntu23.10noarchpython-django< 3:4.2.4-1ubuntu2.3UNKNOWN
ubuntu24.04noarchpython-django< 3:4.2.11-1ubuntu1.1UNKNOWN
ubuntu14.04noarchpython-django< anyUNKNOWN
ubuntu16.04noarchpython-django< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	python-django	< 1:1.11.11-1ubuntu1.21+esm5	UNKNOWN
ubuntu	20.04	noarch	python-django	< 2:2.2.12-1ubuntu0.23	UNKNOWN
ubuntu	22.04	noarch	python-django	< 2:3.2.12-2ubuntu1.12	UNKNOWN
ubuntu	23.10	noarch	python-django	< 3:4.2.4-1ubuntu2.3	UNKNOWN
ubuntu	24.04	noarch	python-django	< 3:4.2.11-1ubuntu1.1	UNKNOWN
ubuntu	14.04	noarch	python-django	< any	UNKNOWN
ubuntu	16.04	noarch	python-django	< any	UNKNOWN