Insufficiently protected credentials in Django - CVE-2018-16984
Published: October 2, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31195
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-16984
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Django Software Foundation
Affected software:
Django
Django
Detailed vulnerability description
The vulnerability allows a remote privileged user to gain access to sensitive information.
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
How to mitigate CVE-2018-16984
Install update from vendor's website.