Описание
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
Отчет
This issue affects the versions of python-django as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of python-django as shipped with Red Hat Subscription Asset Manager version 1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 1.3 | Django | Not affected | ||
| Red Hat Ceph Storage 2 | python-django | Not affected | ||
| Red Hat Ceph Storage 3 | python-django | Not affected | ||
| Red Hat Enterprise Linux 8 | python-django | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | python-django | Not affected | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools | python-django | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-django | Not affected | ||
| Red Hat OpenStack Platform 11 (Ocata) | python-django | Not affected | ||
| Red Hat OpenStack Platform 12 (Pike) | python-django | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0. ...
Django vulnerable to information leakage in AuthenticationForm
Уязвимость метода confirm_login_allowed() программной платформы для веб-приложений Django, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
5.3 Medium
CVSS3