nvd-json-data-feeds/CVE-2020/CVE-2020-151xx/CVE-2020-15105.json

{
  "id": "CVE-2020-15105",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2020-07-10T21:15:10.950",
  "lastModified": "2024-11-21T05:04:49.277",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you're using Django's default database session storage, then users' passwords are stored in clear text in your database. In the best case, if you're using Django's signed cookie session, then users' passwords are only stored in clear text within their browser's cookie store. In the common case of using Django's cache session store, the users' passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you're using the database session backend, you'll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django's session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading."
    },
    {
      "lang": "es",
      "value": "Django Two-Factor Authentication versiones anteriores a 1.12, almacena la contrase\u00f1a del usuario en texto sin cifrar en la sesi\u00f3n del usuario (codificada en base64). La contrase\u00f1a es almacenada en la sesi\u00f3n cuando el usuario introduce su nombre de usuario y contrase\u00f1a, y se elimina una vez que completa la autenticaci\u00f3n al ingresar un c\u00f3digo de autenticaci\u00f3n de dos factores. Esto quiere decir que la contrase\u00f1a es almacenada en texto sin cifrar en la sesi\u00f3n durante un per\u00edodo de tiempo arbitrario, y potencialmente para siempre si el usuario comienza el proceso de inicio de sesi\u00f3n ingresando su nombre de usuario y contrase\u00f1a y luego se sale antes de ingresar su c\u00f3digo de autenticaci\u00f3n de dos factores. La gravedad de este problema depende del tipo de almacenamiento de sesi\u00f3n que haya configurado: en el peor de los casos, si est\u00e1 usando el almacenamiento de sesi\u00f3n de base de datos predeterminado de Django, las contrase\u00f1as de los usuarios son almacenadas en texto sin cifrar en su base de datos. En el mejor de los casos, si est\u00e1 utilizando la sesi\u00f3n de cookies firmada de Django, las contrase\u00f1as de los usuarios solo son almacenadas en texto sin cifrar dentro de la tienda de cookies de su navegador. En el caso com\u00fan de usar el almac\u00e9n de sesiones de cach\u00e9 de Django, las contrase\u00f1as de los usuarios son almacenadas en texto sin cifrar en cualquier almacenamiento de cach\u00e9 que haya configurado (generalmente Memcached o Redis). Esto ha sido corregido en la versi\u00f3n 1.12. Despu\u00e9s de la actualizaci\u00f3n, los usuarios deben asegurarse de eliminar las contrase\u00f1as de texto sin cifrar que hayan sido almacenadas. Por ejemplo, si est\u00e1 usando el back-end de sesi\u00f3n de la base de datos, es probable que quiera eliminar cualquier registro de sesi\u00f3n de la base de datos y purgar esos datos de cualquier copia de seguridad o r\u00e9plica de la base de datos. Adicionalmente, las organizaciones afectadas que han sufrido una violaci\u00f3n de la base de datos al usar una versi\u00f3n afectada deben reportar a sus usuarios que sus contrase\u00f1as de texto sin cifrar han sido comprometidas. Todas las organizaciones deben exhortar a los usuarios cuyas contrase\u00f1as son almacenadas de forma no segura para que cambien estas contrase\u00f1as en los sitios donde se utilizaron. Como soluci\u00f3n alternativa, cambiar el almacenamiento de sesi\u00f3n de Django para usar cookies firmadas en lugar de la base de datos o cach\u00e9 disminuye el impacto de este problema, pero no se debe hacer sin un conocimiento profundo de las compensaciones de seguridad del uso de cookies firmadas en lugar de un almacenamiento de sesi\u00f3n del lado del servidor. No existe manera de mitigar completamente el problema sin actualizar"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 4.2
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
          "baseScore": 3.6,
          "accessVector": "NETWORK",
          "accessComplexity": "HIGH",
          "authentication": "SINGLE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE"
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 3.9,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-312"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-312"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:django_two-factor_authentication_project:django_two-factor_authentication:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.12",
              "matchCriteriaId": "7D3A415A-770B-405A-9C77-72D6142C79C4"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08",
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}