pip

Django vulnerable to user enumeration attack

Moderate severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 11, 2024

Package

Django (pip)

Affected versions

>= 5.0, < 5.0.7

>= 4.2, < 4.2.14

Patched versions

5.0.7

4.2.14

Description

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39329
https://docs.djangoproject.com/en/dev/releases/security
https://groups.google.com/forum/#%21forum/django-announce
https://www.djangoproject.com/weblog/2024/jul/09/security-releases
django/django@07cefde
django/django@156d318
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-57.yaml

Published by the National Vulnerability Database

Jul 10, 2024

Published to the GitHub Advisory Database Jul 10, 2024

Reviewed Jul 10, 2024

Last updated Jul 11, 2024

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Django vulnerable to user enumeration attack

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code