CVE-2018-16984Insufficiently Protected Credentials in Django

CWE-522Insufficiently Protected CredentialsCWE-200Sensitive Information Exposure9 documents7 sources
Severity
4.9MEDIUMNVD
EPSS
0.7%
top 27.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedOct 2
Latest updateOct 15

Description

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

NVDdjangoproject/django2.12.1.2
PyPIdjangoproject/django2.12.1.2

🔴Vulnerability Details

4
OSV
Django allows unprivileged users to read the password hashes of arbitrary accounts2018-10-03
GHSA
Django allows unprivileged users to read the password hashes of arbitrary accounts2018-10-03
OSV
CVE-2018-16984: An issue was discovered in Django 22018-10-02
CVEList
CVE-2018-16984: An issue was discovered in Django 22018-10-02

📋Vendor Advisories

2
Red Hat
python-django: Password hash disclosure to "view only" admin users2018-10-01
Debian
CVE-2018-16984: python-django - An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users ...2018

💬Community

2
Bugzilla
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users [fedora-all]2018-10-15
Bugzilla
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users2018-10-15
CVE-2018-16984 — Insufficiently Protected Credentials | cvebase