CVE-2018-16984
MEDIUMDjango 2.1 - Unauthenticated Password Hash Exposure via Read-Only Password Widget
Title source: llmDescription
An issue was discovered in Django 2.1 before 2.1.2, in which unprivileged users can read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash was bypassed if a user has only the "view" permission (new in Django 2.1), resulting in display of the entire password hash to those users. This may result in a vulnerability for sites with legacy user accounts using insecure hashes.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2018/oct/01/security-release/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041749
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190502-0009/
Scores
CVSS v3
4.9
EPSS
0.0203
EPSS Percentile
78.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (2)
djangoproject/django
2.1 - 2.1.2
pypi/Django
2.1 - 2.1.2PyPI
Published
Oct 02, 2018
Tracked Since
Feb 18, 2026