CVE-2018-6188
published 2018-02-05CVE-2018-6188: django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive…
PriorityP345high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
4.90%
91.0th percentile
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | python-django | < python-django 1:1.11.10-1 (bookworm) | python-django 1:1.11.10-1 (bookworm) |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | — | — |
| djangoproject | django | >= 1.11.8 < 1.11.10 | 1.11.10 |
| djangoproject | django | >= 2.0a1 < 2.0.2 | 2.0.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django vulnerable to information leakage in AuthenticationForm
osv·2018-10-03
CVE-2018-6188 [HIGH] Django vulnerable to information leakage in AuthenticationForm
Django vulnerable to information leakage in AuthenticationForm
`django.contrib.auth.forms.AuthenticationForm` in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the `confirm_login_allowed()` method, as demonstrated by discovering whether a user account is inactive.
GHSA
Django vulnerable to information leakage in AuthenticationForm
ghsa·2018-10-03
CVE-2018-6188 [HIGH] CWE-200 Django vulnerable to information leakage in AuthenticationForm
Django vulnerable to information leakage in AuthenticationForm
`django.contrib.auth.forms.AuthenticationForm` in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the `confirm_login_allowed()` method, as demonstrated by discovering whether a user account is inactive.
OSV
CVE-2018-6188: django
osv·2018-02-05·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188: django
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2018-02-07·CVSS 6.1
CVE-2017-12794 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain requests.
An attacker could possibly use this to access sensitive information.
(CVE-2017-12794, CVE-2018-6188)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: Information leakage in AuthenticationForm
vendor_redhat·2018-02-05·CVSS 7.5
CVE-2018-6188 [HIGH] CWE-209 django: Information leakage in AuthenticationForm
django: Information leakage in AuthenticationForm
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Statement: This issue affects the versions of python-django as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue affects the versions of python-django as shipped with Red Hat Subscription Ass
Debian
CVE-2018-6188: python-django - django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.1...
vendor_debian·2018·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188: python-django - django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.1...
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Scope: local
bookworm: resolved (fixed in 1:1.11.10-1)
bullseye: resolved (fixed in 1:1.11.10-1)
forky: resolved (fixed in 1:1.11.10-1)
sid: resolved (fixed in 1:1.11.10-1)
trixie: resolved (fixed in 1:1.11.10-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-6188 python-django16: django: Information leakage in AuthenticationForm [epel-7]
bugzilla·2018-02-05·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188 python-django16: django: Information leakage in AuthenticationForm [epel-7]
CVE-2018-6188 python-django16: django: Information leakage in AuthenticationForm [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to f
Bugzilla
CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [fedora-all]
bugzilla·2018-02-05·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [fedora-all]
CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [epel-7]
bugzilla·2018-02-05·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [epel-7]
CVE-2018-6188 python-django: django: Information leakage in AuthenticationForm [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for
Bugzilla
CVE-2018-6188 django: Information leakage in AuthenticationForm
bugzilla·2018-01-25·CVSS 7.5
CVE-2018-6188 [HIGH] CVE-2018-6188 django: Information leakage in AuthenticationForm
CVE-2018-6188 django: Information leakage in AuthenticationForm
A regression in Django 1.11.8 made
django.contrib.auth.forms.AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False. If confirm_login_allowed() is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that AuthenticationForm can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend,
has done that since Django 1.10
2018-02-05
Published