Potential Observable Timing Discrepancy in Wagtail
CVE-2020-11037

6.1MEDIUM

Key Information:

Vendor

Wagtail

Status
Wagtail
Vendor
CVE Published:
30 April 2020

What is CVE-2020-11037?

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet.

Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.

This has been patched in 2.7.3, 2.8.2, 2.9.

Affected Version(s)

Wagtail < 2.7.3 < 2.7.3

Wagtail >= 2.8rc1, < 2.8.2 < 2.8rc1, 2.8.2

Wagtail = 2.9rc1 = 2.9rc1

References

https://github.com/wagtail/wagtail/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/3c030490ed575bb...
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/b76ab57ee859732...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.