mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 22:26:08 +00:00
Code Issues 32 Releases Wiki Activity

[4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords.

Browse Source 
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
This commit is contained in:
Michael Manfre
2024-06-14 22:12:58 -04:00
committed by Natalia
parent 79f3687642
commit 156d3186c9
3 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/releases/4.2.14.txt
View File

@@ -13,3 +13,10 @@ CVE-2024-38875: Potential denial-of-service vulnerability in ``django.utils.html
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via certain inputs with a very large number of
brackets.
CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords
================================================================================================
The :meth:`~django.contrib.auth.backends.ModelBackend.authenticate()` method
allowed remote attackers to enumerate users via a timing attack involving login
requests for users with unusable passwords.