CVE-2024-39329
Timing Attack vulnerability in django (PyPI)
What is CVE-2024-39329 About?
Django 5.0 before 5.0.7 and 4.2 before 4.2.14 are vulnerable to a timing attack in the `authenticate()` method. This allows remote attackers to enumerate valid usernames by observing differences in response times during login attempts. While it doesn't directly grant access, it can aid in brute-force attacks, making it moderately easy to exploit.
Affected Software
- django
- >5.0, <5.0.7
- >4.2, <4.2.14
Technical Details
The vulnerability exists in the django.contrib.auth.backends.ModelBackend.authenticate() method within Django versions 5.0 prior to 5.0.7 and 4.2 prior to 4.2.14. This method exhibits a timing discrepancy when processing login requests for users with an unusable password compared to those with an invalid but usable password. An attacker can send login requests with a known username but an incorrect password, and by carefully measuring the response time, distinguish between a user that exists but has an unusable password (e.g., locked account) and a user that does not exist or has a valid password. This timing difference allows for user enumeration, which can then be used to inform further brute-force or credential-stuffing attacks without requiring authentication.
What is the Impact of CVE-2024-39329?
Successful exploitation may allow attackers to enumerate valid usernames, facilitating further brute-force or credential-stuffing attacks and potentially leading to unauthorized access.
What is the Exploitability of CVE-2024-39329?
Exploitation of this timing attack is of moderate complexity. It requires an attacker to repeatedly send login requests with varying usernames and accurately measure the response times from the server. There are no explicit authentication or privilege requirements, as the attack targets the authentication process itself, making it accessible to remote unauthenticated attackers. The attack is remote, as it involves sending requests over the network. Prerequisites include the ability to send requests to the Django login endpoint and a sufficiently accurate timing mechanism. The likelihood of exploitation increases when the application's server and network latency are stable and predictable, allowing for clearer timing distinctions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-39329?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.14 → Upgrade to 4.2.14
- django
- >5.0, <5.0.7 → Upgrade to 5.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases
- https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2024-39329
- https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7436273
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-57.yaml
- https://osv.dev/vulnerability/GHSA-x7q2-wr7g-xqmf
- https://github.com/django/django
- https://github.com/django/django/commit/07cefdee4a9d1fcd9a3a631cbd07c78defd1923b
What are Similar Vulnerabilities to CVE-2024-39329?
Similar Vulnerabilities: CVE-2023-23910 , CVE-2022-21703 , CVE-2021-4202 , CVE-2020-14362 , CVE-2019-10200
