Due to unhandled email sending failures, the
django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to
enumerate user emails by issuing password reset requests and observing the
outcomes.
To mitigate this risk, exceptions occurring during password reset email sending
are now handled and logged using the “django.contrib.auth” logger.
Author | Note |
---|---|
Priority reason: Only allows enumeration of user emails via brute-force approach. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-django | < 1:1.11.11-1ubuntu1.21+esm7 | UNKNOWN |
ubuntu | 20.04 | noarch | python-django | < 2:2.2.12-1ubuntu0.25 | UNKNOWN |
ubuntu | 22.04 | noarch | python-django | < 2:3.2.12-2ubuntu1.14 | UNKNOWN |
ubuntu | 24.04 | noarch | python-django | < 3:4.2.11-1ubuntu1.3 | UNKNOWN |
ubuntu | 14.04 | noarch | python-django | < any | UNKNOWN |
ubuntu | 16.04 | noarch | python-django | < any | UNKNOWN |