GHSA-6mx3-3vqg-hpp2

Suggest an improvement
Source
https://github.com/advisories/GHSA-6mx3-3vqg-hpp2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6mx3-3vqg-hpp2/GHSA-6mx3-3vqg-hpp2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6mx3-3vqg-hpp2
Aliases
Published
2018-10-03T20:07:39Z
Modified
2024-09-18T19:07:30.122563Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Django allows unprivileged users to read the password hashes of arbitrary accounts
Details

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:19:52Z"
}
References

Affected packages

PyPI / django

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1
Fixed
2.1.2

Affected versions

2.*

2.1
2.1.1