Bug 1538793 (CVE-2018-6188)

Summary: CVE-2018-6188 django: Information leakage in AuthenticationForm
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bcourt, bkearney, cbillett, cbuissar, chrisw, hvyas, jakub.dornak, jal233, jjoyce, jmatthew, jschluet, lhh, lpeer, markmc, mburns, mhroncok, michel, mmccune, mrunge, ohadlevy, rbryant, rchan, sclewis, security-response-team, sisharma, slinaber, srevivo, tdecacqu, tomckay, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 2.0.2, Django 1.11.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 19:53:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1539132, 1539133, 1542055, 1542056, 1542057, 1542058    
Bug Blocks: 1538794    

Description Pedro Sampaio 2018-01-25 20:53:45 UTC 
A regression in Django 1.11.8 made
django.contrib.auth.forms.AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False. If confirm_login_allowed() is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend,
has done that since Django 1.10). This issue will be revisited for
Django 2.1 as a fix to address the caveat will likely be too invasive
for inclusion in older versions.

Affected versions
=================

* Django master development branch
* Django 2.0 and 2.0.1
* Django 1.11.8 and 1.11.9
Comment 6 Kurt Seifried 2018-01-26 18:34:13 UTC 
Statement:

This issue affects the versions of python-django as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of python-django as shipped with Red Hat Subscription Asset Manager version 1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 7 Joshua Padman 2018-01-30 02:12:00 UTC 
The versions of python-django shipped with Red Hat OpenStack do not contain the vulnerable code and are not affected by this vulnerability.
Comment 8 Andrej Nemec 2018-02-05 13:23:18 UTC 
External References:

https://www.djangoproject.com/weblog/2018/feb/01/security-releases/
Comment 9 Andrej Nemec 2018-02-05 13:24:06 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1542057]
Affects: fedora-all [bug 1542055]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1542056]
Comment 11 Cedric Buissart 2018-02-07 10:18:26 UTC 
The versions of Django shipped in calamari-server for Ceph Storage 1.3 & 2 do not contain the vulnerable code and are not affected by this vulnerability.
The version of python-django shipped with Ceph Storage do not contain the vulnerable code and is not affected by this vulnerability.
Comment 13 Cedric Buissart 2018-02-07 10:39:56 UTC 
The version of python-django shipped in Red Hat Gluster Storage and Storage Console do not contain the vulnerable code and are not affected by this vulnerability.