-
Notifications
You must be signed in to change notification settings - Fork 85
Expand file tree
/
Copy pathPYSEC-2020-153.yaml
More file actions
36 lines (36 loc) · 1.25 KB
/
PYSEC-2020-153.yaml
File metadata and controls
36 lines (36 loc) · 1.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
id: PYSEC-2020-153
details: In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists
on pages or documents that have been protected with a shared password through Wagtail's
"Privacy" controls. This password check is performed through a character-by-character
string comparison, and so an attacker who is able to measure the time taken by this
check to a high degree of accuracy could potentially use timing differences to gain
knowledge of the password. This is understood to be feasible on a local network,
but not on the public internet. Privacy settings that restrict access to pages/documents
on a per-user or per-group basis (as opposed to a shared password) are unaffected
by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.
affected:
- package:
name: wagtail
ecosystem: PyPI
purl: pkg:pypi/wagtail
ranges:
- type: ECOSYSTEM
events:
- introduced: "2.7"
- fixed: 2.7.3
- introduced: "2.8"
- fixed: 2.8.2
versions:
- "2.7"
- 2.7.1
- 2.7.2
- "2.8"
- 2.8.1
references:
- type: ADVISORY
url: https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6
aliases:
- CVE-2020-11037
- GHSA-jjjr-3jcw-f8v6
modified: "2020-05-08T15:57:00Z"
published: "2020-04-30T23:15:00Z"