CVE-2020-4071

Name of the Vulnerable Software and Affected Versions django-basic-auth-ip-whitelist versions prior to 0.3.4

Description A potential timing attack exists on websites where basic authentication is used or configured, i.e., BASIC AUTH LOGIN and BASIC AUTH PASSWORD are set. The string comparison between configured credentials and the ones provided by users is performed through a character-by-character string comparison, enabling an attacker to time the validation of different usernames and passwords and use this knowledge to work out the valid credentials. This attack is understood not to be realistic over the Internet but may be achieved from within local networks where the website is hosted. Sites protected by IP address whitelisting only are unaffected by this issue.

Recommendations Update to version 0.3.4 as soon as possible and change basic authentication username and password configured on a Django project using this package. As a temporary workaround, consider stopping the use of basic authentication and using the IP whitelisting component only by not setting BASIC AUTH LOGIN and BASIC AUTH PASSWORD in Django project settings.