CVE-2024-39329Observable Timing Discrepancy in Django

CWE-208Observable Timing Discrepancy11 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 62.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Djangoproject Django
Timeline
PublishedJul 10
Latest updateJul 11

Description

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDdjangoproject/django4.24.2.14+1
PyPIdjangoproject/django5.05.0.7+1

🔴Vulnerability Details

6
OSV
python-django vulnerabilities2024-07-11
GHSA
Django vulnerable to user enumeration attack2024-07-10
OSV
CVE-2024-39329: An issue was discovered in Django 52024-07-10
CVEList
CVE-2024-39329: An issue was discovered in Django 52024-07-10
OSV
Django vulnerable to user enumeration attack2024-07-10

📋Vendor Advisories

4
Ubuntu
Django vulnerabilities2024-07-11
Ubuntu
Django vulnerabilities2024-07-09
Red Hat
python-django: Username enumeration through timing difference for users with unusable passwords2024-07-09
Debian
CVE-2024-39329: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The dj...2024
CVE-2024-39329 — Observable Timing Discrepancy | cvebase