PT-2024-31489 · Django+7 · Django+7

Thibaut Spriet

·

Published

2024-09-03

·

Updated

2026-01-03

·

CVE-2024-45231

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Django versions 4.2.16, 5.0.9, and 5.1.1
Description An issue was discovered in the django.contrib.auth.forms.PasswordResetForm class, which allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome when e-mail sending is consistently failing. This occurs due to unhandled email sending failures. Exceptions occurring during password reset email sending are now handled and logged using the "django.contrib.auth" logger.
Recommendations For Django versions 4.2.16, 5.0.9, and 5.1.1, update to a version where exceptions occurring during password reset email sending are handled and logged using the "django.contrib.auth" logger to mitigate the risk of user email enumeration. As a temporary workaround, consider implementing custom logging and exception handling for password reset email sending to minimize the risk of exploitation.

Fix

Generation of Error Message Containing Sensitive Information

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-209CWE-203CWE-204

Related Identifiers

ALT-PU-2024-15283
ALT-PU-2025-10176
BDU:2025-09401
BIT-DJANGO-2024-45231
CVE-2024-45231
GHSA-RRQC-C2JX-6JGV
MGASA-2025-0039
OESA-2024-2278
OESA-2024-2279
OESA-2024-2280
OESA-2024-2281
OESA-2024-2282
OPENSUSE-SU-2024:0282-1
OPENSUSE-SU-2024:14310-1
OPENSUSE-SU-2024:14318-1
OPENSUSE-SU-2024_3139-1
OPENSUSE-SU-2024_3161-1
OPENSUSE-SU-2026:10005-1
SUSE-SU-2024:3139-1
SUSE-SU-2024:3161-1
USN-6987-1

Affected Products

Alt Linux
Astra Linux
Debian
Django
Linuxmint
Red Os
Suse
Ubuntu