CVE-2018-16984 – django

Package

Manager: pip
Name: django
Vulnerable Version: >=2.1 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00927 pctl0.75176

Details

Django allows unprivileged users to read the password hashes of arbitrary accounts An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Metadata

Created: 2018-10-03T20:07:39Z
Modified: 2024-09-18T18:58:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6mx3-3vqg-hpp2/GHSA-6mx3-3vqg-hpp2.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-6mx3-3vqg-hpp2
Finding: F035
Auto approve: 1