CVE-2020-11037

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*
cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*

History

21 Nov 2024, 04:56

Type Values Removed Values Added
CVSS v2 : 1.9
v3 : 4.7
v2 : 1.9
v3 : 6.1
References () https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6 - Third Party Advisory () https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6 - Third Party Advisory

19 Nov 2024, 16:15

Type Values Removed Values Added
References
  • () https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf -
  • () https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090 -
  • () https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11 -
  • () https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340 -
Summary (en) In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9. (en) In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ). Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.

Information

Published : 2020-04-30 23:15

Updated : 2024-11-21 04:56


NVD link : CVE-2020-11037

Mitre link : CVE-2020-11037

CVE.ORG link : CVE-2020-11037


JSON object : View

Products Affected

torchbox

  • wagtail
CWE
CWE-208

Observable Timing Discrepancy

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')