PT-2018-13817 · Django Software Foundation · Django

Phithon Gong

Publicado

2018-10-02

Atualizado

2026-01-03

CVE-2018-16984

CVSS v4.0

6.9

Média

Vetor

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 2.1 through 2.1.1 Django versions prior to 2.1.2

Description An issue allows unprivileged users to read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash can be bypassed if a user has only the "view" permission, resulting in the display of the entire password hash. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Recommendations For Django versions 2.1 through 2.1.1, update to version 2.1.2 or later to resolve the issue. For Django versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue.

Correção

Insufficiently Protected Credentials

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-522

Identificadores relacionados

CVE-2018-16984

GHSA-6MX3-3VQG-HPP2

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2018-3

Produtos afetados

Django

PT-2018-13817 · Django Software Foundation · Django

CVE-2018-16984

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 86