QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2020-11037

Back to search

CVE-2020-11037

Published: Apr 30, 2020

Modified: Nov 19, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.

VendorProductVersions

wagtail

Wagtail

affected
< 2.7.3
affected
>= 2.8rc1, < 2.8.2
affected
= 2.9rc1

Weaknesses (CWE)

CWE-208

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now