CVE-2024-39329

Medium

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate()…

mitre·CWE-208·Published 2024-07-10

CVSS

5.3

EPSS

0.01

KEV

Exploits

cve.orgen

266 chars

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

NVDen

266 chars

OSV.deven

266 chars

GHSAen

268 chars

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The `django.contrib.auth.backends.ModelBackend.authenticate()` method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

NVDes

323 chars

Se descubrió un problema en Django 5.0 anterior a 5.0.7 y 4.2 anterior a 4.2.14. El método django.contrib.auth.backends.ModelBackend.authenticate() permite a atacantes remotos enumerar usuarios mediante un ataque de sincronización que involucra solicitudes de inicio de sesión para usuarios con una contraseña inutilizable.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	GHSA	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0	Secondary	GHSA	6.9	—	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N