CVE-2018-16984 Medium Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-16984 - Medium Severity Vulnerability

Vulnerable Library - Django-1.4.1.tar.gz

A high-level Python Web framework that encourages rapid development and clean, pragmatic design.

path: /test1111/requirements.txt

Library home page: https://pypi.python.org/packages/e6/3f/f3e67d9c2572765ffe4268fc7f9997ce3b02e78fd144733f337d72dabb12/Django-1.4.1.tar.gz

Dependency Hierarchy:

• ❌ Django-1.4.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 62fc916d94bd6f0b01520b2422e2421c65cf16e4

Vulnerability Details

An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.

Publish Date: 2018-10-02

URL: CVE-2018-16984

CVSS 3 Score Details (4.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041749

Fix Resolution: The vendor has issued a fix (2.1.2).

The vendor advisory is available at:

https://www.djangoproject.com/weblog/2018/oct/01/security-release/

---

Step up your Open Source Security Game with WhiteSource here