PT-2024-6224 · Django+5 · Django+5

Published

2024-06-23

·

Updated

2026-01-03

·

CVE-2024-39329

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Django versions 4.2 through 4.2.13 Django versions 5.0 through 5.0.6
Description The issue allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. This is due to the django.contrib.auth.backends.ModelBackend.authenticate() method. The vulnerability can be exploited to gain unauthorized access to protected information.
Recommendations For Django versions 4.2 through 4.2.13, update to version 4.2.14 or later. For Django versions 5.0 through 5.0.6, update to version 5.0.7 or later. As a temporary workaround, consider restricting access to the django.contrib.auth.backends.ModelBackend.authenticate() method until a patch is available.

Fix

Weakness Enumeration

CWE-208

Related Identifiers

ALT-PU-2024-10534
ALT-PU-2025-10176
BDU:2024-07168
BIT-DJANGO-2024-39329
CVE-2024-39329
GHSA-X7Q2-WR7G-XQMF
MGASA-2025-0039
OESA-2024-2002
OESA-2024-2003
OESA-2024-2004
OESA-2024-2036
OESA-2024-2280
OPENSUSE-SU-2024:0251-1
OPENSUSE-SU-2024:14203-1
OPENSUSE-SU-2024:14208-1
OPENSUSE-SU-2024_2545-1
OPENSUSE-SU-2026:10005-1
PYSEC-2024-57
RHSA-2024:6428
RHSA-2024:8906
RHSA-2024:9481
SUSE-SU-2024:2545-1
SUSE-SU-2024:2577-1
USN-6888-1
USN-6888-2

Affected Products

Alt Linux
Debian
Django
Linuxmint
Suse
Ubuntu