Vulnerability Details : CVE-2020-11037
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).
Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.
This has been patched in 2.7.3, 2.8.2, 2.9.
Products affected by CVE-2020-11037
- cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
- cpe:2.3:a:torchbox:wagtail:*:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11037
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11037
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST | |
|
4.7
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.0
|
3.6
|
NIST | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N |
0.8
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2020-11037
-
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.Assigned by: security-advisories@github.com (Secondary)
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11037
-
https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340
Use constant_time_compare for view restriction password checks · wagtail/wagtail@bac3cd0 · GitHub
-
https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf
Use constant_time_compare for view restriction password checks · wagtail/wagtail@3c03049 · GitHub
-
https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11
Use constant_time_compare for view restriction password checks · wagtail/wagtail@ba9d424 · GitHub
-
https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6
Page not found · GitHub · GitHubThird Party Advisory
-
https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090
Release note for CVE-2020-11037 in 2.9 · wagtail/wagtail@b76ab57 · GitHub
Jump to