CVE-2018-16984
Published: 2 October 2018
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Notes
Author | Note |
---|---|
mdeslaur | this issue was introduced in 2.1 |
Priority
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
cosmic |
Not vulnerable
(code not present)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(2.1.2)
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://github.com/django/django/commit/bf39978a53f117ca02e9a0c78b76664a41a54745 upstream: https://github.com/django/django/commit/c4bd5b597e0aa2432e4c867b86650f18af117851 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.9 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | High |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |