CVE-2020-15105

Name of the Vulnerable Software and Affected Versions Django Two-Factor Authentication versions prior to 1.12

Description The issue allows the storage of a user's password in clear text in the user session, which can be base64-encoded. This occurs when a user submits their username and password and is removed upon completion of two-factor authentication. The severity of this issue depends on the configured session storage type, with the worst case being database session storage where passwords are stored in clear text in the database, and the best case being signed cookie session storage where passwords are only stored in clear text within the browser's cookie store. In the common case of using cache session storage, passwords are stored in clear text in the configured cache storage, typically Memcached or Redis. After upgrading to a fixed version, users should delete any stored clear text passwords, such as session records from the database, and purge this data from backups or replicas. Affected organizations that have suffered a database breach should inform users that their clear text passwords have been compromised, and all organizations should encourage users to change insecurely stored passwords on any sites where they were used.

Recommendations For versions prior to 1.12, upgrade to version 1.12 to resolve the issue. After upgrading, delete any clear text passwords that have been stored, such as session records from the database, and purge this data from database backups or replicas. As a temporary workaround, consider switching Django's session storage to use signed cookies instead of the database or cache, but this should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than server-side session storage.