CVE-2024-45231
Enumeration vulnerability in django (PyPI)
What is CVE-2024-45231 About?
This vulnerability in Django's password reset form allows remote attackers to enumerate user e-mail addresses. By observing the outcome of password reset requests, attackers can determine if an e-mail is registered, impacting user privacy. Exploitation is relatively easy under specific error conditions.
Affected Software
- django
- >5.0, <5.0.9
- >5.1, <5.1.1
- <4.2.16
Technical Details
The django.contrib.auth.forms.PasswordResetForm class, when integrated into a password reset workflow, is susceptible to an enumeration attack. If the e-mail sending mechanism consistently fails (e.g., due to misconfiguration or an external service outage), attackers can send password reset requests with different e-mail addresses. By observing the distinct responses or behaviors between attempts for registered and unregistered e-mails (e.g., a slightly different error message, a delay, or a specific log entry if visible), an attacker can deduce whether a given e-mail address exists in the system. This side-channel information leakage allows for systematic enumeration of email addresses.
What is the Impact of CVE-2024-45231?
Successful exploitation may allow attackers to gather valid user email addresses, leading to targeted phishing attacks, spam, or further social engineering attempts against individuals.
What is the Exploitability of CVE-2024-45231?
Exploitation of this vulnerability is of moderate complexity, primarily requiring observation of system responses rather than complex code execution. There are no authentication prerequisites; an unauthenticated remote attacker can initiate password reset requests. No special privileges are required. The attack is remote, as it involves interacting with the web application's public-facing password reset endpoint. A crucial condition for successful enumeration is that email sending must consistently fail, allowing for observable differences in system behavior. Risk factors increasing exploitation likelihood include verbose error messages or distinct response times for existing versus non-existing email addresses when email delivery fails.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-45231?
About the Fix from Resolved Security
Available Upgrade Options
- django
- <4.2.16 → Upgrade to 4.2.16
- django
- >5.0, <5.0.9 → Upgrade to 5.0.9
- django
- >5.1, <5.1.1 → Upgrade to 5.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199
- https://groups.google.com/forum/#%21forum/django-announce
- https://github.com/django/django
- https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca
- https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2024-45231
- https://osv.dev/vulnerability/GHSA-rrqc-c2jx-6jgv
- https://www.djangoproject.com/weblog/2024/sep/03/security-releases
- https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2
- https://docs.djangoproject.com/en/dev/releases/security/
What are Similar Vulnerabilities to CVE-2024-45231?
Similar Vulnerabilities: CVE-2020-28246 , CVE-2021-23351 , CVE-2021-39144 , CVE-2022-24348 , CVE-2023-38501
