CVE-2024-39329
published 2024-07-10CVE-2024-39329: An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.89%
54.9th percentile
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 4.2 < 4.2.14 | 4.2.14 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
| djangoproject | django | >= 5.0 < 5.0.7 | 5.0.7 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-11·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the sto
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-07-09·CVSS 7.5
CVE-2024-39330 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was disco
Red Hat
python-django: Username enumeration through timing difference for users with unusable passwords
vendor_redhat·2024-07-09·CVSS 5.3
CVE-2024-39329 [MEDIUM] CWE-208 python-django: Username enumeration through timing difference for users with unusable passwords
python-django: Username enumeration through timing difference for users with unusable passwords
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
A vulnerability was found in Python-Django in the django.contrib.auth.backends.ModelBackend.authenticate() method. This flaw allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, a
Debian
CVE-2024-39329: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The dj...
vendor_debian·2024·CVSS 5.3
CVE-2024-39329 [MEDIUM] CVE-2024-39329: python-django - An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The dj...
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in 3:4.2.14-1)
sid: resolved (fixed in 3:4.2.14-1)
trixie: resolved (fixed in 3:4.2.14-1)
OSV
python-django vulnerabilities
osv·2024-07-11·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
USN-6888-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 18.04 LTS.
Original advisory details:
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
pos
GHSA
Django vulnerable to user enumeration attack
ghsa·2024-07-10
CVE-2024-39329 [MEDIUM] CWE-208 Django vulnerable to user enumeration attack
Django vulnerable to user enumeration attack
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The `django.contrib.auth.backends.ModelBackend.authenticate()` method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
OSV
CVE-2024-39329: An issue was discovered in Django 5
osv·2024-07-10·CVSS 5.3
CVE-2024-39329 [MEDIUM] CVE-2024-39329: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
OSV
Django vulnerable to user enumeration attack
osv·2024-07-10
CVE-2024-39329 [MEDIUM] Django vulnerable to user enumeration attack
Django vulnerable to user enumeration attack
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The `django.contrib.auth.backends.ModelBackend.authenticate()` method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
OSV
python-django vulnerabilities
osv·2024-07-09·CVSS 7.5
CVE-2024-38875 [HIGH] python-django vulnerabilities
python-django vulnerabilities
Elias Myllymäki discovered that Django incorrectly handled certain inputs
with a large number of brackets. A remote attacker could possibly use this
issue to cause Django to consume resources or stop responding, resulting in
a denial of service. (CVE-2024-38875)
It was discovered that Django incorrectly handled authenticating users with
unusable passwords. A remote attacker could possibly use this issue to
perform a timing attack and enumerate users. (CVE-2024-39329)
Josh Schneier discovered that Django incorrectly handled file path
validation when the storage class is being derived. A remote attacker could
possibly use this issue to save files into arbitrary directories.
(CVE-2024-39330)
It was discovered that Django incorrectly handled certain long strin
No detection rules found.
No public exploits indexed.
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://www.djangoproject.com/weblog/2024/jul/09/security-releases/https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://security.netapp.com/advisory/ntap-20240808-0005/https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
2024-07-10
Published