GHSA-jjjr-3jcw-f8v6

Source

https://github.com/advisories/GHSA-jjjr-3jcw-f8v6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-jjjr-3jcw-f8v6/GHSA-jjjr-3jcw-f8v6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jjjr-3jcw-f8v6

Aliases

Published

2020-05-07T18:04:53Z

Modified

2024-11-19T19:24:41.684148Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
4.3 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVSS Calculator

Summary

Potential Observable Timing Discrepancy in Wagtail

Details

Impact

A potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. (This is understood to be feasible on a local network, but not on the public internet.)

Privacy settings that restrict access to pages / documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.

Patches

Patched versions have been released as Wagtail 2.7.3 (for the LTS 2.7 branch), Wagtail 2.8.2 and Wagtail 2.9.

Workarounds

Site owners who are unable to upgrade to the new versions can use user- or group-based privacy restrictions to restrict access to sensitive information; these are unaffected by this vulnerability.

Database specific

{
    "nvd_published_at": "2020-04-30T23:15:11Z",
    "cwe_ids": [
        "CWE-208",
        "CWE-362"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-05-07T18:04:33Z"
}

References

Affected packages

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.3

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.4.1

0.5

0.6

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

1.*

1.0b1

1.0b2

1.0rc1

1.0rc2

1.0

1.1rc1

1.1

1.2rc1

1.2

1.3rc1

1.3

1.3.1

1.4rc1

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5rc1

1.5

1.5.1

1.5.2

1.5.3

1.6rc1

1.6

1.6.1

1.6.2

1.6.3

1.7rc1

1.7

1.8rc1

1.8

1.8.1

1.8.2

1.9rc1

1.9

1.9.1

1.10rc1

1.10

1.10.1

1.11rc1

1.11

1.11.1

1.12rc1

1.12

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13rc1

1.13

1.13.1

1.13.2

1.13.3

1.13.4

2.*

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.1rc1

2.1rc2

2.1

2.1.1

2.1.2

2.1.3

2.2rc1

2.2rc2

2.2

2.2.1

2.2.2

2.3rc1

2.3rc2

2.3

2.4rc1

2.4

2.5rc1

2.5

2.5.1

2.5.2

2.6rc1

2.6

2.6.1

2.6.2

2.6.3

2.7rc1

2.7rc2

2.7

2.7.1

2.7.2

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8rc1

Fixed

2.8.2

Affected versions

2.*

2.8rc1

2.8

2.8.1

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9rc1

Fixed

2.9

Affected versions

2.*

2.9rc1