CVE-2018-16984
Published: 2 October 2018
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Notes
| Author | Note |
|---|---|
| mdeslaur | this issue was introduced in 2.1 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python-django Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| cosmic |
Not vulnerable
(code not present)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(2.1.2)
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745 upstream: https://github.com/django/django/commit/c4bd5b597e0aa2432e4c867b86650f18af117851 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.9 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |