CVE-2020-11037
Potential Observable Timing Discrepancy in Wagtail
Description
In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.
How to fix CVE-2020-11037
To remediate CVE-2020-11037, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.3 or later
- —upgrade to 2.8.2 or later
Is CVE-2020-11037 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.7.3
- >= 2.8, < 2.8.2, >= 2.7, < 2.7.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N |