PyPi: Django

CVE-2018-6188

Safety vulnerability ID: 35173

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 05, 2018 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

Django 2.0.2 and 1.11.10 include a fix for CVE-2018-6188: django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
https://www.djangoproject.com/weblog/2018/feb/01/security-releases

Affected package

django

Latest version: 5.1.4

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Affected versions

Fixed versions

Vulnerability changelog

==========================

*February 1, 2018*

Django 2.0.2 fixes a security issue and several bugs in 2.0.1.

CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================

A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.

Bugfixes
========

* Fixed hidden content at the bottom of the "The install worked successfully!"
page for some languages (:ticket:`28885`).

* Fixed incorrect foreign key nullification if a model has two foreign keys to
the same model and a target model is deleted (:ticket:`29016`).

* Fixed regression in the use of ``QuerySet.values_list(..., flat=True)``
followed by ``annotate()`` (:ticket:`29067`).

* Fixed a regression where a queryset that annotates with geometry objects
crashes (:ticket:`29054`).

* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
authentication backend doesn't accept ``request`` and a later one does
(:ticket:`29071`).

* Fixed a regression where ``makemigrations`` crashes if a migrations directory
doesn't have an ``__init__.py`` file (:ticket:`29091`).

* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
(:ticket:`29094`).


==========================

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
NONE
Availability Availability (A)
NONE

CVSS v2 Details

MEDIUM 5.0
Access Vector (AV)
NETWORK
Access Complexity (AC)
LOW
Authentication (Au)
NONE
Confidentiality Impact (C)
PARTIAL
Integrity Impact (I)
NONE
Availability Impact (A)
NONE