Vulnerability Details : CVE-2018-16984
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
Products affected by CVE-2018-16984
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16984
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16984
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
4.9
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2018-16984
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-16984
-
https://security.netapp.com/advisory/ntap-20190502-0009/
CVE-2018-16984 Django Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.djangoproject.com/weblog/2018/oct/01/security-release/
Django security release issued: 2.1.2 | Weblog | DjangoVendor Advisory
-
http://www.securitytracker.com/id/1041749
Django Password Change Flaw Lets Remote Authenticated Administrative Users View Hashed Passwords on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
Jump to