Vulnerability Name:

CVE-2018-16984 (CCN-150668)

Assigned:2018-10-01
Published:2018-10-01
Updated:2019-10-03
Summary:An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
CVSS v3 Severity:4.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
4.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-522
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2018-16984

Source: CCN
Type: SECTRACK ID: 1041749
Django Password Change Flaw Lets Remote Authenticated Administrative Users View Hashed Passwords on the Target System

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041749

Source: XF
Type: UNKNOWN
django-cve201816984-info-disc(150668)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190502-0009/

Source: CCN
Type: Django Web site
Django security release issued: 2.1.2

Source: CONFIRM
Type: Vendor Advisory
https://www.djangoproject.com/weblog/2018/oct/01/security-release/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:djangoproject:django:*:*:*:*:*:*:*:* (Version >= 2.1 and < 2.1.2)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:113248
    P
    		python36-Django-3.2.7-2.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106660
    P
    		python36-Django-3.2.7-2.3 on GA media (Moderate)
    2021-10-01
    oval:com.ubuntu.bionic:def:201816984000
    V
    		CVE-2018-16984 on Ubuntu 18.04 LTS (bionic) - low.
    2018-10-02
    oval:com.ubuntu.cosmic:def:2018169840000000
    V
    		CVE-2018-16984 on Ubuntu 18.10 (cosmic) - low.
    2018-10-02
    oval:com.ubuntu.cosmic:def:201816984000
    V
    		CVE-2018-16984 on Ubuntu 18.10 (cosmic) - low.
    2018-10-02
    oval:com.ubuntu.bionic:def:2018169840000000
    V
    		CVE-2018-16984 on Ubuntu 18.04 LTS (bionic) - low.
    2018-10-02
    oval:com.ubuntu.trusty:def:201816984000
    V
    		CVE-2018-16984 on Ubuntu 14.04 LTS (trusty) - low.
    2018-10-02
    oval:com.ubuntu.xenial:def:2018169840000000
    V
    		CVE-2018-16984 on Ubuntu 16.04 LTS (xenial) - low.
    2018-10-02
    oval:com.ubuntu.xenial:def:201816984000
    V
    		CVE-2018-16984 on Ubuntu 16.04 LTS (xenial) - low.
    2018-10-02
    BACK
    djangoproject django *