CVE-2020-11037
Description
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtails "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.This has been patched in 2.7.3, 2.8.2, 2.9.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail 2.7.3 | Windows |
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail 2.8.2 | Windows |
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail 2.9 | Windows |
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail for linux 2.7.3 | Linux |
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail for linux 2.8.2 | Linux |
| Vulnerabilities CVE-2020-11037 are fixed in Python-wagtail for linux 2.9 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234