Bug 1538793 (CVE-2018-6188) - CVE-2018-6188 django: Information leakage in AuthenticationForm
Summary: CVE-2018-6188 django: Information leakage in AuthenticationForm
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-6188
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1539132 1539133 1542055 1542056 1542057 1542058
Blocks: 1538794
TreeView+ depends on / blocked
 
Reported: 2018-01-25 20:53 UTC by Pedro Sampaio
Modified: 2021-10-21 19:53 UTC (History)
31 users (show)

Fixed In Version: Django 2.0.2, Django 1.11.10
Clone Of:
Environment:
Last Closed: 2021-10-21 19:53:51 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2018-01-25 20:53:45 UTC 
A regression in Django 1.11.8 made
django.contrib.auth.forms.AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False. If confirm_login_allowed() is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend,
has done that since Django 1.10). This issue will be revisited for
Django 2.1 as a fix to address the caveat will likely be too invasive
for inclusion in older versions.

Affected versions
=================

* Django master development branch
* Django 2.0 and 2.0.1
* Django 1.11.8 and 1.11.9
Comment 6 Kurt Seifried 2018-01-26 18:34:13 UTC 
Statement:

This issue affects the versions of python-django as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

This issue affects the versions of python-django as shipped with Red Hat Subscription Asset Manager version 1. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 7 Joshua Padman 2018-01-30 02:12:00 UTC 
The versions of python-django shipped with Red Hat OpenStack do not contain the vulnerable code and are not affected by this vulnerability.
Comment 8 Andrej Nemec 2018-02-05 13:23:18 UTC 
External References:

https://www.djangoproject.com/weblog/2018/feb/01/security-releases/
Comment 9 Andrej Nemec 2018-02-05 13:24:06 UTC 
Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1542057]
Affects: fedora-all [bug 1542055]


Created python-django16 tracking bugs for this issue:

Affects: epel-7 [bug 1542056]
Comment 11 Cedric Buissart 2018-02-07 10:18:26 UTC 
The versions of Django shipped in calamari-server for Ceph Storage 1.3 & 2 do not contain the vulnerable code and are not affected by this vulnerability.
The version of python-django shipped with Ceph Storage do not contain the vulnerable code and is not affected by this vulnerability.
Comment 13 Cedric Buissart 2018-02-07 10:39:56 UTC 
The version of python-django shipped in Red Hat Gluster Storage and Storage Console do not contain the vulnerable code and are not affected by this vulnerability.
Note You need to log in before you can comment on or make changes to this bug.