Red Hat Bugzilla – Bug 1538793
CVE-2018-6188 django: Information leakage in AuthenticationForm
Last modified: 2018-06-29 18:31:33 EDT
A regression in Django 1.11.8 made django.contrib.auth.forms.AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn't overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked. This issue is fixed with the caveat that AuthenticationForm can no longer raise the "This account is inactive." error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions. Affected versions ================= * Django master development branch * Django 2.0 and 2.0.1 * Django 1.11.8 and 1.11.9
Statement: This issue affects the versions of python-django as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of python-django as shipped with Red Hat Subscription Asset Manager version 1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
The versions of python-django shipped with Red Hat OpenStack do not contain the vulnerable code and are not affected by this vulnerability.
External References: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/
Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1542057] Affects: fedora-all [bug 1542055] Created python-django16 tracking bugs for this issue: Affects: epel-7 [bug 1542056]
The versions of Django shipped in calamari-server for Ceph Storage 1.3 & 2 do not contain the vulnerable code and are not affected by this vulnerability. The version of python-django shipped with Ceph Storage do not contain the vulnerable code and is not affected by this vulnerability.
The version of python-django shipped in Red Hat Gluster Storage and Storage Console do not contain the vulnerable code and are not affected by this vulnerability.