Vulnerability CVE-2024-45231: Information

Description

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Published: Oct. 8, 2024
Modified: Oct. 30, 2024

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python3-module-djangosisyphus5.0.9-alt15.1.5-alt1ALT-PU-2024-15372-4361957Fixed
python3-module-djangosisyphus_e2k4.2.16-alt14.2.17-alt1ALT-PU-2024-15989-1-Fixed
python3-module-djangosisyphus_riscv645.0.9-alt15.1.5-alt1ALT-PU-2024-15693-1-Fixed
python3-module-djangosisyphus_loongarch645.0.9-alt15.1.5-alt1ALT-PU-2024-15704-1-Fixed
python3-module-djangop114.2.16-alt14.2.18-alt1ALT-PU-2024-15283-3362011Fixed

References to Advisories, Solutions, and Tools

    1. Configuration 1

      cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
      Start including
      5.0
      End excluding
      5.0.9

      cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
      Start including
      4.2.0
      End excluding
      4.2.16

      cpe:2.3:a:djangoproject:django:5.1:*:*:*:*:*:*:*