CVE Vulnerabilities

CVE-2024-39329

Observable Timing Discrepancy

Published: Jul 10, 2024 | Modified: Jun 16, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
3.7 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
LOW
root.io minimus.io echohq.com

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.

Weakness

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Affected Software

Name Vendor Start Version End Version
Django Djangoproject 4.2 (including) 4.2.14 (excluding)
Django Djangoproject 5.0 (including) 5.0.7 (excluding)
Red Hat Ansible Automation Platform 2.4 for RHEL 8 RedHat python3x-django-0:4.2.15-1.el8ap *
Red Hat Ansible Automation Platform 2.4 for RHEL 9 RedHat python-django-0:4.2.15-1.el9ap *
Red Hat OpenStack Services on OpenShift 18.0 RedHat python-django-0:3.2.12-8.el9ost *
Red Hat Satellite 6.16 for RHEL 8 RedHat python-django-0:4.2.16-1.el8pc *
Red Hat Satellite 6.16 for RHEL 8 RedHat python-django-0:4.2.16-1.el8pc *
Red Hat Satellite 6.16 for RHEL 9 RedHat python-django-0:4.2.16-1.el9pc *
Red Hat Satellite 6.16 for RHEL 9 RedHat python-django-0:4.2.16-1.el9pc *
Python-django Ubuntu esm-infra/bionic *
Python-django Ubuntu focal *
Python-django Ubuntu jammy *
Python-django Ubuntu mantic *
Python-django Ubuntu noble *
Python-django Ubuntu trusty/esm *

References