Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-x7q2-wr7g-xqmf: Django vulnerable to user enumeration attack

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

ghsa
#git#auth

Django vulnerable to user enumeration attack

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 10, 2024

Related news

Red Hat Security Advisory 2024-9481-03

Red Hat Security Advisory 2024-9481-03 - An update for python-django is now available for Red Hat OpenStack Platform 18.0.3 . Issues addressed include a traversal vulnerability.

Red Hat Security Advisory 2024-8906-03

Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Ubuntu Security Notice USN-6888-2

Ubuntu Security Notice 6888-2 - USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-6888-1

Ubuntu Security Notice 6888-1 - Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this issue to cause Django to consume resources or stop responding, resulting in a denial of service. It was discovered that Django incorrectly handled authenticating users with unusable passwords. A remote attacker could possibly use this issue to perform a timing attack and enumerate users.

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager