CVE-2018-16984
published 2018-10-02CVE-2018-16984: An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password…
PriorityP429medium4.9CVSS 3.0
AVNACLPRHUINSUCHINAN
EPSS
2.03%
78.7th percentile
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | — | — |
| djangoproject | django | >= 2.1 < 2.1.2 | 2.1.2 |
| djangoproject | django | >= 2.1 < 2.1.2 | 2.1.2 |
CVSS provenance
nvdv3.04.9MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_debian4.9LOW
vendor_redhat4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django allows unprivileged users to read the password hashes of arbitrary accounts
osv·2018-10-03
CVE-2018-16984 [MEDIUM] Django allows unprivileged users to read the password hashes of arbitrary accounts
Django allows unprivileged users to read the password hashes of arbitrary accounts
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
GHSA
Django allows unprivileged users to read the password hashes of arbitrary accounts
ghsa·2018-10-03
CVE-2018-16984 [MEDIUM] CWE-522 Django allows unprivileged users to read the password hashes of arbitrary accounts
Django allows unprivileged users to read the password hashes of arbitrary accounts
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
OSV
CVE-2018-16984: An issue was discovered in Django 2
osv·2018-10-02
CVE-2018-16984 CVE-2018-16984: An issue was discovered in Django 2
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Red Hat
python-django: Password hash disclosure to "view only" admin users
vendor_redhat·2018-10-01·CVSS 4.9
CVE-2018-16984 [MEDIUM] CWE-200 python-django: Password hash disclosure to "view only" admin users
python-django: Password hash disclosure to "view only" admin users
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Package: python-django (Red Hat Ceph Storage 2) - Not affected
Package: python-django (Red Hat Certification for Red Hat Enterprise Linux 7) - Not affected
Package: python-django (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Not affected
Package: python-dja
Debian
CVE-2018-16984: python-django - An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users ...
vendor_debian·2018·CVSS 4.9
CVE-2018-16984 [MEDIUM] CVE-2018-16984: python-django - An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users ...
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users [fedora-all]
bugzilla·2018-10-15·CVSS 4.9
CVE-2018-16984 [MEDIUM] CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users [fedora-all]
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple s
Bugzilla
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users
bugzilla·2018-10-15·CVSS 4.9
CVE-2018-16984 [MEDIUM] CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users
CVE-2018-16984 python-django: Password hash disclosure to "view only" admin users
If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form. Admin users with the view (but not change) permission to the user model were displayed the entire hash. While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms such as MD5 or SHA1, it could be a problem.
Affected versions:
Django master development branch
Django 2.1
External References:
https://www.djangoproject.com/weblog/2018/oct/01/security-release/
Discussion:
Created python-django tracking bugs for this issue:
Affects: fedora-all [bug 1639399]
http://www.securitytracker.com/id/1041749https://security.netapp.com/advisory/ntap-20190502-0009/https://www.djangoproject.com/weblog/2018/oct/01/security-release/http://www.securitytracker.com/id/1041749https://security.netapp.com/advisory/ntap-20190502-0009/https://www.djangoproject.com/weblog/2018/oct/01/security-release/
2018-10-02
Published