The password hasher in contrib/auth/hashers.py
in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
{ "nvd_published_at": "2016-04-08T15:59:00Z", "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-07-31T22:16:33Z" }