Safety vulnerability ID: 35173
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django 2.0.2 and 1.11.10 include a fix for CVE-2018-6188: django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
https://www.djangoproject.com/weblog/2018/feb/01/security-releases
Latest version: 5.1.3
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
==========================
*February 1, 2018*
Django 2.0.2 fixes a security issue and several bugs in 2.0.1.
CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================
A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.
Bugfixes
========
* Fixed hidden content at the bottom of the "The install worked successfully!"
page for some languages (:ticket:`28885`).
* Fixed incorrect foreign key nullification if a model has two foreign keys to
the same model and a target model is deleted (:ticket:`29016`).
* Fixed regression in the use of ``QuerySet.values_list(..., flat=True)``
followed by ``annotate()`` (:ticket:`29067`).
* Fixed a regression where a queryset that annotates with geometry objects
crashes (:ticket:`29054`).
* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
authentication backend doesn't accept ``request`` and a later one does
(:ticket:`29071`).
* Fixed a regression where ``makemigrations`` crashes if a migrations directory
doesn't have an ``__init__.py`` file (:ticket:`29091`).
* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
(:ticket:`29094`).
==========================
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application