{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-39329", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T04:19:20.702Z", "dateReserved": "2024-06-23T00:00:00", "datePublished": "2024-07-10T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-10T04:48:41.258715"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-208", "lang": "en", "description": "CWE-208 Observable Timing Discrepancy"}]}], "affected": [{"vendor": "djangoproject", "product": "django", "cpes": ["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.0", "status": "affected", "lessThan": "5.0.7", "versionType": "custom"}, {"version": "4.2", "status": "affected", "lessThan": "4.2.14", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-10T16:17:00.476005Z", "id": "CVE-2024-39329", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T20:38:21.855Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.702Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/", "tags": ["x_transferred"]}, {"url": "https://groups.google.com/forum/#%21forum/django-announce", "tags": ["x_transferred"]}, {"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-39329", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-10T16:17:00.476005Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*"], "vendor": "djangoproject", "product": "django", "versions": [{"status": "affected", "version": "5.0", "lessThan": "5.0.7", "versionType": "custom"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.14", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T16:26:17.485Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-10T04:48:41.258715"}}}, "cveMetadata": {"cveId": "CVE-2024-39329", "state": "PUBLISHED", "dateUpdated": "2024-07-10T20:38:21.855Z", "dateReserved": "2024-06-23T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-10T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Django 5.0 anterior a 5.0.7 y 4.2 anterior a 4.2.14. El m\u00e9todo django.contrib.auth.backends.ModelBackend.authenticate() permite a atacantes remotos enumerar usuarios mediante un ataque de sincronizaci\u00f3n que involucra solicitudes de inicio de sesi\u00f3n para usuarios con una contrase\u00f1a inutilizable."}], "id": "CVE-2024-39329", "lastModified": "2024-07-11T15:06:11.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-10T05:15:12.097", "references": [{"source": "cve@mitre.org", "url": "https://docs.djangoproject.com/en/dev/releases/security/"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21forum/django-announce"}, {"source": "cve@mitre.org", "url": "https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-django-0:4.2.15-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-django-0:4.2.15-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-09-05T00:00:00Z"}], "bugzilla": {"description": "python-django: Username enumeration through timing difference for users with unusable passwords", "id": "2295936", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295936"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-208", "details": ["An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.", "A vulnerability was found in Python-Django in the django.contrib.auth.backends.ModelBackend.authenticate() method. This flaw allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-39329", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-lightspeed-container", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:discovery:1.0::el8", "fix_state": "Affected", "package_name": "discovery-server-container", "product_name": "Red Hat Discovery"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Affected", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "python-django20", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Affected", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-07-09T14:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39329\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39329"], "threat_severity": "Low"}