Published: 02/10/2018 Updated: 03/10/2019

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 4.9 | Impact Score: 3.6 | Exploitability Score: 1.2

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

An issue exists in Django 2.1 prior to 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Vulnerable Product	Search on Vulmon	Subscribe to Product
djangoproject django

An issue was discovered in Django 21 before 212, in which unprivileged users can read the password hashes of arbitrary accounts The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 21), resulting in display of the entire password hash ...

If an admin user has the change permission to the user model, only part of the password hash is displayed in the change form Admin users with the view (but not change) permission to the user model were displayed the entire hash While it's typically infeasible to reverse a strong password hash, if your site uses weaker password hashing algorithms ...

CWE-522 https://www.djangoproject.com/weblog/2018/oct/01/security-release/http://www.securitytracker.com/id/1041749 https://security.netapp.com/advisory/ntap-20190502-0009/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2018-16984

CVE-2018-16984

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect