PyPi: Wagtail

CVE-2020-11037

Safety vulnerability ID: 38249

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 30, 2020 Updated at Feb 21, 2025

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of Wagtail are vulnerable to a potential timing attack on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet.
Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.

Affected package

wagtail

Latest version: 6.4.1

A Django content management system.

Affected versions

Fixed versions

Vulnerability changelog

~~~~~~~~~~~~~~~~~~

* Fix: CVE-2020-11037 - avoid potential timing attack on password-protected private pages (Thibaud Colas)

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.7

CVSS v3 Details

MEDIUM 4.7

Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): NONE

CVSS v2 Details

LOW 1.9

Access Vector (AV): LOCAL
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): NONE
Availability Impact (A): NONE